31084 – Crash when a plugin removes itself from the DOM during paint

Bug 31084 - Crash when a plugin removes itself from the DOM during paint

Summary: Crash when a plugin removes itself from the DOM during paint

Status:	RESOLVED WONTFIX

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Plug-ins (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-11-03 14:02 PST by James Robinson
Modified:	2022-07-01 11:36 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
LayoutTest that exhibits the behavior (9.10 KB, patch) 2009-11-03 14:04 PST, James Robinson	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description James Robinson 2009-11-03 14:02:11 PST

If a plugin removes itself from the DOM during the paint (via, say, a NPN_Evaluate()), the rendering code defers a NULL pointer and crashes.  We're seeing this in the wild in the Chromium port surprisingly often.

Comment 1 James Robinson 2009-11-03 14:04:40 PST

Created attachment 42416 [details]
LayoutTest that exhibits the behavior

Attached is a layout test (and modifications to the TestNetscapePlugin) with a plugin that removes itself (by calling NPN_Evaluate() on a script that sets the plugin's parent's innerHTML to '') during paint.  This causes a crash in RenderWidget.cpp.  The problem is that setting innerHTML causes the previous child Node objects to be destroyed, which causes the associated renderers to be destroyed.  The rendering code does not check for this case and dies.

Comment 2 Alexey Proskuryakov 2022-07-01 11:36:16 PDT

Mass closing plug-in bugs, as plug-in support has been removed from WebKit.

Please comment and/or reopen if this still affects WebKit in some way.