nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/plugins/npobject-js-wrapper-destroy...

4 lines
69 B
Plaintext
Raw Permalink Normal View History

Invalidate JS wrappers for NPObjects when they are finalized This will cause the underlying NPObject to be released at finalization time, rather than at destruction time (which is unpredictable and could occur after the plugin has been unloaded). Test: plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html Fixes <http://webkit.org/b/61316> <rdar://problem/9489824> Crash in deallocateNPObject when reloading yahoo.com webarchive in WebKit2 and <http://webkit.org/b/61317> <rdar://problem/9489829> Crash in _NPN_DeallocateObject when reloading yahoo.com webarchive in WebKit1 Reviewed by Oliver Hunt. Source/WebCore: * bridge/runtime_object.cpp: (JSC::Bindings::RuntimeObject::~RuntimeObject): Assert that we've already been invalidated. * bridge/runtime_root.cpp: (JSC::Bindings::RootObject::invalidate): (JSC::Bindings::RootObject::addRuntimeObject): Updated for m_runtimeObjects type change. (JSC::Bindings::RootObject::finalize): Added. Invalidates the RuntimeObject and removes it from the map. * bridge/runtime_root.h: Now inherits from WeakHandleOwner. Changed m_runtimeObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the RuntimeObjects are finalized. Source/WebKit2: * WebProcess/Plugins/Netscape/JSNPObject.cpp: (WebKit::JSNPObject::~JSNPObject): Assert that we've already been invalidated, rather than trying to perform invalidation now (when the plugin might already be unloaded). * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp: (WebKit::NPRuntimeObjectMap::getOrCreateJSObject): (WebKit::NPRuntimeObjectMap::invalidate): Updated for m_jsNPObjects type change. (WebKit::NPRuntimeObjectMap::finalize): Added. Invalidates the JSNPObject and removes it from the map. * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h: Now inherits from WeakHandleOwner. Changed m_jsNPObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the JSNPObjects are finalized. LayoutTests: Test that we don't crash when a JS wrapper for an NPObject is destroyed after its plugin is unloaded * plugins/npobject-js-wrapper-destroyed-after-plugin-unload-expected.txt: Added. * plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html: Added. (startTest): Gets a JS wrapper for an NPObject from the plugin, allocate a bunch of memory so the JS wrapper will be finalized, then destroy the plugin and wait for a little bit before calling finishTest. (finishTest): Force a GC so the JS wrapper will be destroyed. If we didn't crash, we passed! Canonical link: https://commits.webkit.org/76759@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@87179 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2011-05-24 18:51:49 +00:00
This test will only work in DumpRenderTree/WebKitTestRunner.
PASSED