diff options
| author | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-27 23:23:56 +0000 |
|---|---|---|
| committer | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-27 23:23:56 +0000 |
| commit | d9fc9f4d86230620bedea5e22f839b56cf746c05 (patch) | |
| tree | 29b464e863223ac364d3ea578563bbeba5cae30f | |
| parent | 2f3d9d5e876c6a51c9c0e55ebf763a9f8833ae96 (diff) | |
| download | chromium_src-d9fc9f4d86230620bedea5e22f839b56cf746c05.zip chromium_src-d9fc9f4d86230620bedea5e22f839b56cf746c05.tar.gz chromium_src-d9fc9f4d86230620bedea5e22f839b56cf746c05.tar.bz2 | |
Fix a crash that the reliability bots caught.
This was a silly oops. I had intended to call clearPluginContainer on each
WebPluginLoadObserver held in WebPluginContainerImpl's m_pluginLoadObservers
array when the WebPluginContainerImpl is destroyed, but I never hooked that up.
Here it is.
R=jam
BUG=10036
TEST=layout test: chrome/plugins/get-url-with-iframe-target-no-crash.html
Review URL: http://codereview.chromium.org/182003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@24696 0039d316-1c4b-4281-b951-d872f2087c98
3 files changed, 30 insertions, 2 deletions
diff --git a/webkit/api/src/WebPluginContainerImpl.cpp b/webkit/api/src/WebPluginContainerImpl.cpp index fb1e416..6e2dc42 100644 --- a/webkit/api/src/WebPluginContainerImpl.cpp +++ b/webkit/api/src/WebPluginContainerImpl.cpp @@ -255,8 +255,10 @@ void WebPluginContainerImpl::loadFrameRequest( // FIXME: This is a bit of hack to allow us to observe completion of // our frame request. It would be better to evolve FrameLoader to // support a completion callback instead. - WebDataSourceImpl::setNextPluginLoadObserver( - new WebPluginLoadObserver(this, request.url(), notifyData)); + WebPluginLoadObserver* observer = + new WebPluginLoadObserver(this, request.url(), notifyData); + m_pluginLoadObservers.append(observer); + WebDataSourceImpl::setNextPluginLoadObserver(observer); } FrameLoadRequest frameRequest(request.toResourceRequest()); @@ -312,6 +314,8 @@ void WebPluginContainerImpl::willDestroyPluginLoadObserver(WebPluginLoadObserver WebPluginContainerImpl::~WebPluginContainerImpl() { + for (size_t i = 0; i < m_pluginLoadObservers.size(); ++i) + m_pluginLoadObservers[i]->clearPluginContainer(); m_webPlugin->destroy(); } diff --git a/webkit/data/layout_tests/chrome/plugins/get-url-with-iframe-target-no-crash-expected.txt b/webkit/data/layout_tests/chrome/plugins/get-url-with-iframe-target-no-crash-expected.txt new file mode 100644 index 0000000..64edcc7 --- /dev/null +++ b/webkit/data/layout_tests/chrome/plugins/get-url-with-iframe-target-no-crash-expected.txt @@ -0,0 +1,3 @@ +This tests that we do not crash upon trying to deliver NPP_URLNotify to a plugin that has been deleted. +SUCCESS + diff --git a/webkit/data/layout_tests/chrome/plugins/get-url-with-iframe-target-no-crash.html b/webkit/data/layout_tests/chrome/plugins/get-url-with-iframe-target-no-crash.html new file mode 100644 index 0000000..35d1a09 --- /dev/null +++ b/webkit/data/layout_tests/chrome/plugins/get-url-with-iframe-target-no-crash.html @@ -0,0 +1,21 @@ +<html> +<script> +function runtest() { + if (window.layoutTestController) { + layoutTestController.dumpAsText(); + layoutTestController.waitUntilDone(); + plg.getURLNotify("data:text/html,<body onload='layoutTestController.notifyDone()'></body>", "frame", "callback"); + plg.parentNode.removeChild(plg) + } else { + document.write("Cannot run interactively"); + } +} +</script> +<body onload="runtest()"> +<embed id="plg" type="application/x-webkit-test-netscape"></embed> +This tests that we do not crash upon trying to deliver NPP_URLNotify to +a plugin that has been deleted. +<div id="result">SUCCESS</div> +<iframe id="frame"></iframe> +</body> +</html> |