nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/plugins/npobject-js-wrapper-destroy...

52 lines
1.7 KiB
HTML
Raw Permalink Normal View History

Invalidate JS wrappers for NPObjects when they are finalized This will cause the underlying NPObject to be released at finalization time, rather than at destruction time (which is unpredictable and could occur after the plugin has been unloaded). Test: plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html Fixes <http://webkit.org/b/61316> <rdar://problem/9489824> Crash in deallocateNPObject when reloading yahoo.com webarchive in WebKit2 and <http://webkit.org/b/61317> <rdar://problem/9489829> Crash in _NPN_DeallocateObject when reloading yahoo.com webarchive in WebKit1 Reviewed by Oliver Hunt. Source/WebCore: * bridge/runtime_object.cpp: (JSC::Bindings::RuntimeObject::~RuntimeObject): Assert that we've already been invalidated. * bridge/runtime_root.cpp: (JSC::Bindings::RootObject::invalidate): (JSC::Bindings::RootObject::addRuntimeObject): Updated for m_runtimeObjects type change. (JSC::Bindings::RootObject::finalize): Added. Invalidates the RuntimeObject and removes it from the map. * bridge/runtime_root.h: Now inherits from WeakHandleOwner. Changed m_runtimeObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the RuntimeObjects are finalized. Source/WebKit2: * WebProcess/Plugins/Netscape/JSNPObject.cpp: (WebKit::JSNPObject::~JSNPObject): Assert that we've already been invalidated, rather than trying to perform invalidation now (when the plugin might already be unloaded). * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp: (WebKit::NPRuntimeObjectMap::getOrCreateJSObject): (WebKit::NPRuntimeObjectMap::invalidate): Updated for m_jsNPObjects type change. (WebKit::NPRuntimeObjectMap::finalize): Added. Invalidates the JSNPObject and removes it from the map. * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h: Now inherits from WeakHandleOwner. Changed m_jsNPObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the JSNPObjects are finalized. LayoutTests: Test that we don't crash when a JS wrapper for an NPObject is destroyed after its plugin is unloaded * plugins/npobject-js-wrapper-destroyed-after-plugin-unload-expected.txt: Added. * plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html: Added. (startTest): Gets a JS wrapper for an NPObject from the plugin, allocate a bunch of memory so the JS wrapper will be finalized, then destroy the plugin and wait for a little bit before calling finishTest. (finishTest): Force a GC so the JS wrapper will be destroyed. If we didn't crash, we passed! Canonical link: https://commits.webkit.org/76759@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@87179 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2011-05-24 18:51:49 +00:00
<!DOCTYPE html>
<html>
<head>
<script>
function startTest() {
Use testRunner instead of layoutTestController in networkinformation, perf, plugins, pointer-lock, printing, scrollbars, and security tests https://bugs.webkit.org/show_bug.cgi?id=89181 Reviewed by Kent Tamura. * perf/clone-with-focus.html: * perf/nested-combined-selectors.html: * perf/table-rows-length-caching.html: * platform/chromium/plugins/call-as-function.html: * platform/chromium/plugins/get-url-with-blank-target2.html: * platform/chromium/plugins/get-url-with-iframe-target-no-crash.html: * platform/chromium/printing/custom-page-size-style-expected.txt: * platform/chromium/printing/custom-page-size-style.html: * platform/gtk/plugins/invalidate-rect-with-null-npp-argument.html: * platform/gtk/scrollbars/overflow-scrollbar-horizontal-wheel-scroll.html: * platform/mac-wk2/plugins/contents-scale-factor.html: * platform/mac-wk2/plugins/mouse-events-scaled.html: * platform/mac/plugins/bindings-array-apply-crash.html: * platform/mac/plugins/bindings-objc-long-method-name.html: * platform/mac/plugins/bindings-objc-method-name-conversion.html: * platform/mac/plugins/bindings-test-objc.html: * platform/mac/plugins/call-as-function-test.html: * platform/mac/plugins/convert-point.html: * platform/mac/plugins/disable-plugins.html: * platform/mac/plugins/jsobjc-dom-wrappers.html: * platform/mac/plugins/jsobjc-simple.html: * platform/mac/plugins/pluginDocumentView-deallocated-dataSource.html-disabled: * platform/mac/plugins/root-object-premature-delete-crash.html: * platform/mac/plugins/supports-carbon-event-model.html: * platform/mac/plugins/testplugin-onnew-onpaint.html: * platform/mac/plugins/throw-on-dealloc.html: * platform/mac/plugins/undefined-property-crash.html: * platform/mac/plugins/update-widget-from-style-recalc.html: * platform/mac/plugins/webScriptObject-exception-deadlock.html: * platform/mac/scrollbars/key-window-not-first-responder.html: * platform/qt/plugins/application-plugin-plugins-disabled.html: * platform/win/plugins/call-javascript-that-destroys-plugin.html: * platform/win/plugins/get-value-netscape-window.html: * platform/win/plugins/iframe-inside-overflow.html: * platform/win/plugins/npn-invalidate-rect-invalidates-window.html: * platform/win/plugins/visibility-hidden.html: * platform/win/plugins/window-geometry-initialized-before-set-window.html: * platform/win/plugins/window-region-is-set-to-clip-rect.html: * platform/win/plugins/windowless-paint-rect-coordinates.html: * plugins/: * pointer-lock/lock-fail-responses-expected.txt: * pointer-lock/lock-fail-responses.html: * pointer-lock/pointer-lock-api.html: * pointer-lock/pointerlockchange-pointerlockerror-events-expected.txt: * pointer-lock/pointerlockchange-pointerlockerror-events.html: * pointer-lock/pointerlocklost-event-expected.txt: * pointer-lock/pointerlocklost-event.html: * printing/compositing-layer-printing.html: * printing/css2.1/README.txt: * printing/css2.1/page-break-after-000.html: * printing/css2.1/page-break-after-001.html: * printing/css2.1/page-break-after-002.html: * printing/css2.1/page-break-after-003.html: * printing/css2.1/page-break-after-004.html: * printing/css2.1/page-break-before-000.html: * printing/css2.1/page-break-before-001.html: * printing/css2.1/page-break-before-002.html: * printing/css2.1/page-break-inside-000.html: * printing/iframe-print.html: * printing/media-queries-print.html: * printing/numberOfPages-expected.txt: * printing/page-count-layout-overflow.html: * printing/page-count-relayout-shrink.html: * printing/page-count-with-one-word.html: * printing/page-format-data-display-none.html: * printing/page-format-data-expected.txt: * printing/page-format-data.html: * printing/page-rule-css-text.html: * printing/page-rule-in-media-query.html: * printing/page-rule-selection-expected.txt: * printing/page-rule-selection.html: * printing/pageNumerForElementById-expected.txt: * printing/print-close-crash.html: * printing/pseudo-class-outside-page.html: * printing/resources/paged-media-test-utils.js: (pageNumberForElementShouldBe): (numberOfPagesShouldBe): (runPrintingTest): * printing/return-from-printing-mode.html: * printing/script-tests/numberOfPages.js: * printing/script-tests/pageNumerForElementById.js: * printing/setPrinting.html: * printing/simultaneous-position-float-change.html: * printing/single-line-must-not-be-split-into-two-pages.html: * printing/width-overflow.html: * printing/zoomed-document.html: * scrollbars/hidden-iframe-scrollbar-crash.html: * scrollbars/hidden-iframe-scrollbar-crash2.html: * scrollbars/hidden-scrollbar-prevents-layout.html: * scrollbars/overflow-custom-scrollbar-crash.html: * scrollbars/resources/hidden-iframe-scrollbar-crash2.html: * scrollbars/scroll-rtl-or-bt-layer.html: * scrollbars/scrollable-iframe-remove-crash.html: * scrollbars/scrollbar-click-does-not-blur-content.html: * scrollbars/scrollbar-crash-on-refresh.html: * scrollbars/scrollbar-drag-thumb-with-large-content.html: * scrollbars/scrollbar-gradient-crash.html: * scrollbars/scrollbar-iframe-click-does-not-blur-content.html: * scrollbars/scrollbar-initial-position.html: * scrollbars/scrollbar-middleclick-nopaste.html: * scrollbars/scrollbar-miss-mousemove-disabled.html: * scrollbars/scrollbar-miss-mousemove.html: * scrollbars/scrollbar-owning-renderer-crash.html: * scrollbars/scrollbar-part-created-with-no-parent-crash.html: * scrollbars/scrollbar-percent-padding-crash.html: * scrollbars/scrollbar-scrollbarparts-repaint-crash.html: * scrollbars/scrollevent-iframe-no-scrolling-wheel.html: * scrollbars/scrollevent-iframe-no-scrolling.html: * security/autocomplete-cleared-on-back.html: * security/block-test-no-port.html: * security/block-test.html: * security/set-form-autocomplete-attribute.html: Canonical link: https://commits.webkit.org/107031@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@120417 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2012-06-15 07:38:37 +00:00
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
Invalidate JS wrappers for NPObjects when they are finalized This will cause the underlying NPObject to be released at finalization time, rather than at destruction time (which is unpredictable and could occur after the plugin has been unloaded). Test: plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html Fixes <http://webkit.org/b/61316> <rdar://problem/9489824> Crash in deallocateNPObject when reloading yahoo.com webarchive in WebKit2 and <http://webkit.org/b/61317> <rdar://problem/9489829> Crash in _NPN_DeallocateObject when reloading yahoo.com webarchive in WebKit1 Reviewed by Oliver Hunt. Source/WebCore: * bridge/runtime_object.cpp: (JSC::Bindings::RuntimeObject::~RuntimeObject): Assert that we've already been invalidated. * bridge/runtime_root.cpp: (JSC::Bindings::RootObject::invalidate): (JSC::Bindings::RootObject::addRuntimeObject): Updated for m_runtimeObjects type change. (JSC::Bindings::RootObject::finalize): Added. Invalidates the RuntimeObject and removes it from the map. * bridge/runtime_root.h: Now inherits from WeakHandleOwner. Changed m_runtimeObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the RuntimeObjects are finalized. Source/WebKit2: * WebProcess/Plugins/Netscape/JSNPObject.cpp: (WebKit::JSNPObject::~JSNPObject): Assert that we've already been invalidated, rather than trying to perform invalidation now (when the plugin might already be unloaded). * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp: (WebKit::NPRuntimeObjectMap::getOrCreateJSObject): (WebKit::NPRuntimeObjectMap::invalidate): Updated for m_jsNPObjects type change. (WebKit::NPRuntimeObjectMap::finalize): Added. Invalidates the JSNPObject and removes it from the map. * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h: Now inherits from WeakHandleOwner. Changed m_jsNPObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the JSNPObjects are finalized. LayoutTests: Test that we don't crash when a JS wrapper for an NPObject is destroyed after its plugin is unloaded * plugins/npobject-js-wrapper-destroyed-after-plugin-unload-expected.txt: Added. * plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html: Added. (startTest): Gets a JS wrapper for an NPObject from the plugin, allocate a bunch of memory so the JS wrapper will be finalized, then destroy the plugin and wait for a little bit before calling finishTest. (finishTest): Force a GC so the JS wrapper will be destroyed. If we didn't crash, we passed! Canonical link: https://commits.webkit.org/76759@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@87179 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2011-05-24 18:51:49 +00:00
}
// Access all objects/properties that we're going to use later in the test so that JS
// allocations only happen when we expect.
var body = document.body;
body.removeChild;
var plugin = body.getElementsByTagName('embed')[0];
var testObject = plugin.testObject;
setTimeout;
testObject = null;
// Allocate a bunch of JS memory. This should cause testObject to be finalized, but it's
// destructor shouldn't run until the GCController.collect call we make later.
var array = new Array(10000);
for (var i = 0; i < 10000; ++i)
array[i] = new Object();
// Remove the plugin and wait for a little bit to ensure it has been unloaded (WebKit1
// on Windows unloads plugins after a delay).
body.removeChild(plugin);
setTimeout(finishTest, 250);
}
function finishTest() {
// Force a GC. If we don't crash here, we've passed the test.
if (window.GCController)
GCController.collect();
document.body.appendChild(document.createTextNode('PASSED'));
Use testRunner instead of layoutTestController in networkinformation, perf, plugins, pointer-lock, printing, scrollbars, and security tests https://bugs.webkit.org/show_bug.cgi?id=89181 Reviewed by Kent Tamura. * perf/clone-with-focus.html: * perf/nested-combined-selectors.html: * perf/table-rows-length-caching.html: * platform/chromium/plugins/call-as-function.html: * platform/chromium/plugins/get-url-with-blank-target2.html: * platform/chromium/plugins/get-url-with-iframe-target-no-crash.html: * platform/chromium/printing/custom-page-size-style-expected.txt: * platform/chromium/printing/custom-page-size-style.html: * platform/gtk/plugins/invalidate-rect-with-null-npp-argument.html: * platform/gtk/scrollbars/overflow-scrollbar-horizontal-wheel-scroll.html: * platform/mac-wk2/plugins/contents-scale-factor.html: * platform/mac-wk2/plugins/mouse-events-scaled.html: * platform/mac/plugins/bindings-array-apply-crash.html: * platform/mac/plugins/bindings-objc-long-method-name.html: * platform/mac/plugins/bindings-objc-method-name-conversion.html: * platform/mac/plugins/bindings-test-objc.html: * platform/mac/plugins/call-as-function-test.html: * platform/mac/plugins/convert-point.html: * platform/mac/plugins/disable-plugins.html: * platform/mac/plugins/jsobjc-dom-wrappers.html: * platform/mac/plugins/jsobjc-simple.html: * platform/mac/plugins/pluginDocumentView-deallocated-dataSource.html-disabled: * platform/mac/plugins/root-object-premature-delete-crash.html: * platform/mac/plugins/supports-carbon-event-model.html: * platform/mac/plugins/testplugin-onnew-onpaint.html: * platform/mac/plugins/throw-on-dealloc.html: * platform/mac/plugins/undefined-property-crash.html: * platform/mac/plugins/update-widget-from-style-recalc.html: * platform/mac/plugins/webScriptObject-exception-deadlock.html: * platform/mac/scrollbars/key-window-not-first-responder.html: * platform/qt/plugins/application-plugin-plugins-disabled.html: * platform/win/plugins/call-javascript-that-destroys-plugin.html: * platform/win/plugins/get-value-netscape-window.html: * platform/win/plugins/iframe-inside-overflow.html: * platform/win/plugins/npn-invalidate-rect-invalidates-window.html: * platform/win/plugins/visibility-hidden.html: * platform/win/plugins/window-geometry-initialized-before-set-window.html: * platform/win/plugins/window-region-is-set-to-clip-rect.html: * platform/win/plugins/windowless-paint-rect-coordinates.html: * plugins/: * pointer-lock/lock-fail-responses-expected.txt: * pointer-lock/lock-fail-responses.html: * pointer-lock/pointer-lock-api.html: * pointer-lock/pointerlockchange-pointerlockerror-events-expected.txt: * pointer-lock/pointerlockchange-pointerlockerror-events.html: * pointer-lock/pointerlocklost-event-expected.txt: * pointer-lock/pointerlocklost-event.html: * printing/compositing-layer-printing.html: * printing/css2.1/README.txt: * printing/css2.1/page-break-after-000.html: * printing/css2.1/page-break-after-001.html: * printing/css2.1/page-break-after-002.html: * printing/css2.1/page-break-after-003.html: * printing/css2.1/page-break-after-004.html: * printing/css2.1/page-break-before-000.html: * printing/css2.1/page-break-before-001.html: * printing/css2.1/page-break-before-002.html: * printing/css2.1/page-break-inside-000.html: * printing/iframe-print.html: * printing/media-queries-print.html: * printing/numberOfPages-expected.txt: * printing/page-count-layout-overflow.html: * printing/page-count-relayout-shrink.html: * printing/page-count-with-one-word.html: * printing/page-format-data-display-none.html: * printing/page-format-data-expected.txt: * printing/page-format-data.html: * printing/page-rule-css-text.html: * printing/page-rule-in-media-query.html: * printing/page-rule-selection-expected.txt: * printing/page-rule-selection.html: * printing/pageNumerForElementById-expected.txt: * printing/print-close-crash.html: * printing/pseudo-class-outside-page.html: * printing/resources/paged-media-test-utils.js: (pageNumberForElementShouldBe): (numberOfPagesShouldBe): (runPrintingTest): * printing/return-from-printing-mode.html: * printing/script-tests/numberOfPages.js: * printing/script-tests/pageNumerForElementById.js: * printing/setPrinting.html: * printing/simultaneous-position-float-change.html: * printing/single-line-must-not-be-split-into-two-pages.html: * printing/width-overflow.html: * printing/zoomed-document.html: * scrollbars/hidden-iframe-scrollbar-crash.html: * scrollbars/hidden-iframe-scrollbar-crash2.html: * scrollbars/hidden-scrollbar-prevents-layout.html: * scrollbars/overflow-custom-scrollbar-crash.html: * scrollbars/resources/hidden-iframe-scrollbar-crash2.html: * scrollbars/scroll-rtl-or-bt-layer.html: * scrollbars/scrollable-iframe-remove-crash.html: * scrollbars/scrollbar-click-does-not-blur-content.html: * scrollbars/scrollbar-crash-on-refresh.html: * scrollbars/scrollbar-drag-thumb-with-large-content.html: * scrollbars/scrollbar-gradient-crash.html: * scrollbars/scrollbar-iframe-click-does-not-blur-content.html: * scrollbars/scrollbar-initial-position.html: * scrollbars/scrollbar-middleclick-nopaste.html: * scrollbars/scrollbar-miss-mousemove-disabled.html: * scrollbars/scrollbar-miss-mousemove.html: * scrollbars/scrollbar-owning-renderer-crash.html: * scrollbars/scrollbar-part-created-with-no-parent-crash.html: * scrollbars/scrollbar-percent-padding-crash.html: * scrollbars/scrollbar-scrollbarparts-repaint-crash.html: * scrollbars/scrollevent-iframe-no-scrolling-wheel.html: * scrollbars/scrollevent-iframe-no-scrolling.html: * security/autocomplete-cleared-on-back.html: * security/block-test-no-port.html: * security/block-test.html: * security/set-form-autocomplete-attribute.html: Canonical link: https://commits.webkit.org/107031@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@120417 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2012-06-15 07:38:37 +00:00
if (window.testRunner)
testRunner.notifyDone();
Invalidate JS wrappers for NPObjects when they are finalized This will cause the underlying NPObject to be released at finalization time, rather than at destruction time (which is unpredictable and could occur after the plugin has been unloaded). Test: plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html Fixes <http://webkit.org/b/61316> <rdar://problem/9489824> Crash in deallocateNPObject when reloading yahoo.com webarchive in WebKit2 and <http://webkit.org/b/61317> <rdar://problem/9489829> Crash in _NPN_DeallocateObject when reloading yahoo.com webarchive in WebKit1 Reviewed by Oliver Hunt. Source/WebCore: * bridge/runtime_object.cpp: (JSC::Bindings::RuntimeObject::~RuntimeObject): Assert that we've already been invalidated. * bridge/runtime_root.cpp: (JSC::Bindings::RootObject::invalidate): (JSC::Bindings::RootObject::addRuntimeObject): Updated for m_runtimeObjects type change. (JSC::Bindings::RootObject::finalize): Added. Invalidates the RuntimeObject and removes it from the map. * bridge/runtime_root.h: Now inherits from WeakHandleOwner. Changed m_runtimeObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the RuntimeObjects are finalized. Source/WebKit2: * WebProcess/Plugins/Netscape/JSNPObject.cpp: (WebKit::JSNPObject::~JSNPObject): Assert that we've already been invalidated, rather than trying to perform invalidation now (when the plugin might already be unloaded). * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp: (WebKit::NPRuntimeObjectMap::getOrCreateJSObject): (WebKit::NPRuntimeObjectMap::invalidate): Updated for m_jsNPObjects type change. (WebKit::NPRuntimeObjectMap::finalize): Added. Invalidates the JSNPObject and removes it from the map. * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.h: Now inherits from WeakHandleOwner. Changed m_jsNPObjects from a WeakGCMap to a HashMap of JSC::Weak objects so that we will be notified when the JSNPObjects are finalized. LayoutTests: Test that we don't crash when a JS wrapper for an NPObject is destroyed after its plugin is unloaded * plugins/npobject-js-wrapper-destroyed-after-plugin-unload-expected.txt: Added. * plugins/npobject-js-wrapper-destroyed-after-plugin-unload.html: Added. (startTest): Gets a JS wrapper for an NPObject from the plugin, allocate a bunch of memory so the JS wrapper will be finalized, then destroy the plugin and wait for a little bit before calling finishTest. (finishTest): Force a GC so the JS wrapper will be destroyed. If we didn't crash, we passed! Canonical link: https://commits.webkit.org/76759@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@87179 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2011-05-24 18:51:49 +00:00
}
addEventListener('load', startTest, false);
</script>
</head>
<body>
<p>This test will only work in DumpRenderTree/WebKitTestRunner.</p>
<embed type="application/x-webkit-test-netscape">
</body>
</html>