Created attachment 70550 [details] test case (change MIME type to a plug-in you have installed) This happens with AdBlock extension and any WebKit-style plug-in: 1. Add a plug-in element to a document. 2. Access any property, e.g. myPlugin.myProperty. This makes the plug-in load, since myProperty can be defined in the plug-in. As the plug-in is loaded, a beforeload event is dispatched. 3. In beforeload handler, access e.g. myPlugin.nodeName. Since the plug-in hasn't loaded yet, we go back into HTMLObjectElement::updateWidget(), and dispatch beforeload again. Two of the ways updateWidget is triggered are style resolution and layout. The interaction of these result in one recursive call, and also Widget object is created twice. So, the plug-in is stopped, and malfunctions in the future. <rdar://problem/8353386>
Created attachment 70554 [details] proposed patch
Comment on attachment 70554 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=70554&action=review > WebCore/html/HTMLPlugInElement.cpp:108 > + if (m_inBeforeLoadEventHandler) { > + // The plug-in hasn't loaded yet, and it makes no sense to try to load if beforeload handler happened to touch the plug-in element. > + // That would recursively call beforeload for the same element. > + return false; > + } This should return 0, not return false.
Committed <http://trac.webkit.org/changeset/69596>.