We didn't use to support executing arbitrary JavaScript code during plug-in destruction in out of process case. This got accidentally enabled in r49411. Long term, we should do the same thing in in process and out of process cases, and the same as other browsers - which likely means allowing JS execution from NPP_Destroy (although there are lots of bugs and limitations there). But there is an unfortunate twist for out of process plug-ins, which makes WebKit take this code path even if plug-in didn't intend that: 1) Plug-in executes NPN_Evaluate, a sync message is sent to the browser. 2) At the same time, the browser stops the plug-in, and sends synchronous NPP_Destroy to plug-in. 3) The browser enters a loop, handling messages that come from plug-in, and waiting for a response to NPP_Destroy. 4) So, it executes the script from step 1 that could have been dropped.
<rdar://problem/8148656>
Created attachment 60164 [details] proposed fix
- waitForReply<NetscapePluginInstanceProxy::BooleanReply>(requestID); + waitForReplyDroppingOtherMessages<NetscapePluginInstanceProxy::BooleanReply>(requestID); Oops, this doesn't belong here.
Created attachment 60261 [details] an alternative WebKit part of the fix WebCore and LayoutTests parts are unchanged, not putting them up for review again.
Comment on attachment 60261 [details] an alternative WebKit part of the fix r=me
Committed with alternative WebKit fix in <http://trac.webkit.org/changeset/62279>.