81254 – fix a use-after-free in TestNetscapePlugIn

Bug 81254 - fix a use-after-free in TestNetscapePlugIn

Summary: fix a use-after-free in TestNetscapePlugIn

Status:	RESOLVED INVALID

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Tony Chang

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-03-15 12:07 PDT by Tony Chang
Modified:	2012-03-15 15:00 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (1.72 KB, patch) 2012-03-15 12:10 PDT, Tony Chang	andersca: review- andersca: commit-queue-	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tony Chang 2012-03-15 12:07:48 PDT

fix a use-after-free in TestNetscapePlugIn

Comment 1 Tony Chang 2012-03-15 12:10:18 PDT

Created attachment 132099 [details]
Patch

Comment 2 Tony Chang 2012-03-15 12:11:01 PDT

Anders, I don't know if you remember this code from about 2 years ago, but valgrind caught this as a use-after-free in Chromium's drt.

Comment 3 Anders Carlsson 2012-03-15 12:47:24 PDT

Comment on attachment 132099 [details]
Patch

I don't think this is correct. Chromium shouldn't destroy the plug-in as long as there's plug-in code on the stack.

Comment 4 Tony Chang 2012-03-15 15:00:04 PDT

(In reply to comment #3)
> (From update of attachment 132099 [details])
> I don't think this is correct. Chromium shouldn't destroy the plug-in as long as there's plug-in code on the stack.

You're right, this is a bug in Chromium code.  I was able to see the behavior you described in Firefox (Linux) and Safari single-process (I tried to run in Safari multi-process, but that just hangs-- the test was skipped on SL and Lion in bug 32229).