Created attachment 72363 [details] Patch

I'm not sure who an appropriate reviewer for this is, so adding people who might know.

Comment on attachment 72363 [details] Patch Oops, this isn't enough to fix the crash.

I don't think I know enough about plugins to fix this crash. One can repro by running LayoutTests/plugins/js-from-destroy.html. On Mac, you need to use DRT and on Linux, you need to delete libnpapi_layout_test_plugin.so from out/Debug/plugins/ and copy libTestNetscapePlugIn.so into that directory (you can use test_shell or DRT on Linux). The general flow is that when unloading a document, NPN_Destroy is run and the plugin tries to run javascript by running the following: static void executeScript(const PluginObject* obj, const char* script) { NPObject *windowScriptObject; browser->getvalue(obj->npp, NPNVWindowNPObject, &windowScriptObject); NPString npScript; npScript.UTF8Characters = script; npScript.UTF8Length = strlen(script); NPVariant browserResult; browser->evaluate(obj->npp, windowScriptObject, &npScript, &browserResult); browser->releasevariantvalue(&browserResult); } We crash on browser->getvalue. We try to call V8DOMWindowShell::createNewContext, but we fail because activeDocumentLoader() is NULL. It looks like from reading the bug when this test was added that Safari is able to execute the javascript while the document is being torn down, but I'm not sure what needs to be done to allow that to work. Simply commenting out the activeDocumentLoader isn't enough.

LayoutTest failures for Chromium are being marked WontFix. The Bug is still accessible and referenced from TestExpectations.