diff options
author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-04-16 18:19:44 +0000 |
---|---|---|
committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-04-16 18:19:44 +0000 |
commit | f2eefdabd9adf6c31676a401b4fc01e4e9218cbe (patch) | |
tree | 108efd9f9abbd08201b4623e6f509ea445cf8ccf /webkit | |
parent | 2b2d1697cd3cd6303b372949565bb8ac87741589 (diff) | |
download | chromium_src-f2eefdabd9adf6c31676a401b4fc01e4e9218cbe.zip chromium_src-f2eefdabd9adf6c31676a401b4fc01e4e9218cbe.tar.gz chromium_src-f2eefdabd9adf6c31676a401b4fc01e4e9218cbe.tar.bz2 |
Ensure we check the page pointer before using it after we come out of NPP_HandleEvent, as it might have gone away depending on JavaScript that was executed by the plugin.
BUG=9955
Review URL: http://codereview.chromium.org/75026
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@13858 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
-rw-r--r-- | webkit/data/plugins/delete_frame.html | 5 | ||||
-rw-r--r-- | webkit/data/plugins/delete_frame_iframe.html | 5 | ||||
-rw-r--r-- | webkit/glue/plugins/test/plugin_client.cc | 62 | ||||
-rw-r--r-- | webkit/glue/plugins/test/plugin_windowless_test.cc | 22 | ||||
-rw-r--r-- | webkit/glue/plugins/webplugin_delegate_impl.cc | 6 | ||||
-rw-r--r-- | webkit/glue/plugins/webplugin_delegate_impl.h | 2 | ||||
-rw-r--r-- | webkit/glue/webplugin_impl.cc | 7 | ||||
-rw-r--r-- | webkit/tools/test_shell/plugin_tests.cc | 21 |
8 files changed, 88 insertions, 42 deletions
diff --git a/webkit/data/plugins/delete_frame.html b/webkit/data/plugins/delete_frame.html new file mode 100644 index 0000000..7ad2caa --- /dev/null +++ b/webkit/data/plugins/delete_frame.html @@ -0,0 +1,5 @@ +<html>
+<body>
+<iframe id='frame' src='delete_frame_iframe.html'></iframe>
+</body>
+</html>
diff --git a/webkit/data/plugins/delete_frame_iframe.html b/webkit/data/plugins/delete_frame_iframe.html new file mode 100644 index 0000000..bd9b655 --- /dev/null +++ b/webkit/data/plugins/delete_frame_iframe.html @@ -0,0 +1,5 @@ +<html>
+<body>
+<embed id='1' type='application/vnd.npapi-test' src='foo' name='delete_frame_test'>
+</body>
+</html>
\ No newline at end of file diff --git a/webkit/glue/plugins/test/plugin_client.cc b/webkit/glue/plugins/test/plugin_client.cc index 3a3d3a5..de6cd2a 100644 --- a/webkit/glue/plugins/test/plugin_client.cc +++ b/webkit/glue/plugins/test/plugin_client.cc @@ -43,7 +43,7 @@ NPError PluginClient::GetEntryPoints(NPPluginFuncs* pFuncs) { pFuncs->urlnotify = NPP_URLNotify; pFuncs->getvalue = NPP_GetValue; pFuncs->setvalue = NPP_SetValue; - pFuncs->javaClass = reinterpret_cast<JRIGlobalRef>(NPP_GetJavaClass); + pFuncs->javaClass = static_cast<JRIGlobalRef>(NPP_GetJavaClass); return NPERR_NO_ERROR; } @@ -79,83 +79,79 @@ NPError NPP_New(NPMIMEType pluginType, NPP instance, uint16 mode, // that against a given test and try to instantiate it. // lookup the name parameter - int name_index = 0; - for (name_index = 0; name_index < argc; name_index++) - if (base::strcasecmp(argn[name_index], "name") == 0) + std::string test_name; + for (int name_index = 0; name_index < argc; name_index++) + if (base::strcasecmp(argn[name_index], "name") == 0) { + test_name = argv[name_index]; break; + } - if (name_index >= argc) + if (test_name.empty()) return NPERR_GENERIC_ERROR; // no name found NPError ret = NPERR_GENERIC_ERROR; bool windowless_plugin = false; - + NPAPIClient::PluginTest *new_test = NULL; - if (base::strcasecmp(argv[name_index], "arguments") == 0) { + if (test_name == "arguments") { new_test = new NPAPIClient::PluginArgumentsTest(instance, NPAPIClient::PluginClient::HostFunctions()); - } else if (base::strcasecmp(argv[name_index], "geturl") == 0) { + } else if (test_name == "geturl") { new_test = new NPAPIClient::PluginGetURLTest(instance, NPAPIClient::PluginClient::HostFunctions()); - } else if (base::strcasecmp(argv[name_index], "npobject_proxy") == 0) { + } else if (test_name == "npobject_proxy") { new_test = new NPAPIClient::NPObjectProxyTest(instance, NPAPIClient::PluginClient::HostFunctions()); #if defined(OS_WIN) // TODO(port): plugin_windowless_test.*. - } else if ((base::strcasecmp(argv[name_index], - "execute_script_delete_in_paint") == 0) || - (base::strcasecmp(argv[name_index], - "execute_script_delete_in_mouse_move") == 0)) { + } else if (test_name == "execute_script_delete_in_paint" || + test_name == "execute_script_delete_in_mouse_move" || + test_name == "delete_frame_test") { new_test = new NPAPIClient::WindowlessPluginTest(instance, - NPAPIClient::PluginClient::HostFunctions(), argv[name_index]); + NPAPIClient::PluginClient::HostFunctions(), test_name); windowless_plugin = true; #endif - } else if (base::strcasecmp(argv[name_index], "getjavascripturl") == 0) { + } else if (test_name == "getjavascripturl") { new_test = new NPAPIClient::ExecuteGetJavascriptUrlTest(instance, NPAPIClient::PluginClient::HostFunctions()); #if defined(OS_WIN) // TODO(port): plugin_window_size_test.*. - } else if (base::strcasecmp(argv[name_index], "checkwindowrect") == 0) { + } else if (test_name == "checkwindowrect") { new_test = new NPAPIClient::PluginWindowSizeTest(instance, NPAPIClient::PluginClient::HostFunctions()); #endif - } else if (base::strcasecmp(argv[name_index], - "self_delete_plugin_stream") == 0) { + } else if (test_name == "self_delete_plugin_stream") { new_test = new NPAPIClient::DeletePluginInStreamTest(instance, NPAPIClient::PluginClient::HostFunctions()); #if defined(OS_WIN) // TODO(port): plugin_npobject_lifetime_test.*. - } else if (base::strcasecmp(argv[name_index], - "npobject_lifetime_test") == 0) { + } else if (test_name == "npobject_lifetime_test") { new_test = new NPAPIClient::NPObjectLifetimeTest(instance, NPAPIClient::PluginClient::HostFunctions()); - } else if (base::strcasecmp(argv[name_index], - "npobject_lifetime_test_second_instance") == 0) { + } else if (test_name == "npobject_lifetime_test_second_instance") { new_test = new NPAPIClient::NPObjectLifetimeTestInstance2(instance, NPAPIClient::PluginClient::HostFunctions()); - } else if (base::strcasecmp(argv[name_index], - "npobject_delete_plugin_in_evaluate") == 0) { + } else if (test_name == "new_fails") { + new_test = new NPAPIClient::NewFailsTest(instance, + NPAPIClient::PluginClient::HostFunctions()); + } else if (test_name == "npobject_delete_plugin_in_evaluate") { new_test = new NPAPIClient::NPObjectDeletePluginInNPN_Evaluate(instance, NPAPIClient::PluginClient::HostFunctions()); #endif - } else if (base::strcasecmp(argv[name_index], "new_fails") == 0) { - new_test = new NPAPIClient::NewFailsTest(instance, - NPAPIClient::PluginClient::HostFunctions()); - } else if (base::strcasecmp(argv[name_index], - "plugin_javascript_open_popup_with_plugin") == 0) { + } else if (test_name == + "plugin_javascript_open_popup_with_plugin") { new_test = new NPAPIClient::ExecuteJavascriptOpenPopupWithPluginTest( instance, NPAPIClient::PluginClient::HostFunctions()); - } else if (base::strcasecmp(argv[name_index], - "plugin_popup_with_plugin_target") == 0) { + } else if (test_name == "plugin_popup_with_plugin_target") { new_test = new NPAPIClient::ExecuteJavascriptPopupWindowTargetPluginTest( instance, NPAPIClient::PluginClient::HostFunctions()); - } else if (base::strcasecmp(argv[name_index], "private") == 0) { + } else if (test_name == "private") { new_test = new NPAPIClient::PrivateTest(instance, NPAPIClient::PluginClient::HostFunctions()); } else { // If we don't have a test case for this, create a // generic one which basically never fails. - LOG(WARNING) << "Unknown test name '" << argv[name_index] + LOG(WARNING) << "Unknown test name '" << test_name << "'; using default test."; new_test = new NPAPIClient::PluginTest(instance, NPAPIClient::PluginClient::HostFunctions()); diff --git a/webkit/glue/plugins/test/plugin_windowless_test.cc b/webkit/glue/plugins/test/plugin_windowless_test.cc index 131102c..74f422e 100644 --- a/webkit/glue/plugins/test/plugin_windowless_test.cc +++ b/webkit/glue/plugins/test/plugin_windowless_test.cc @@ -29,8 +29,7 @@ int16 WindowlessPluginTest::HandleEvent(void* event) { NPEvent* np_event = reinterpret_cast<NPEvent*>(event); if (WM_PAINT == np_event->event && - base::strcasecmp(test_name_.c_str(), - "execute_script_delete_in_paint") == 0) { + test_name_ == "execute_script_delete_in_paint") { HDC paint_dc = reinterpret_cast<HDC>(np_event->wParam); if (paint_dc == NULL) { SetError("Invalid Window DC passed to HandleEvent for WM_PAINT"); @@ -53,13 +52,11 @@ int16 WindowlessPluginTest::HandleEvent(void* event) { browser->geturl(id(), urlString, targetString); SignalTestCompleted(); } else if (WM_MOUSEMOVE == np_event->event && - base::strcasecmp(test_name_.c_str(), - "execute_script_delete_in_mouse_move") == 0) { + test_name_ == "execute_script_delete_in_mouse_move") { std::string script = "javascript:DeletePluginWithinScript()"; NPString script_string; script_string.UTF8Characters = script.c_str(); - script_string.UTF8Length = - static_cast<unsigned int>(script.length()); + script_string.UTF8Length = static_cast<unsigned int>(script.length()); NPObject *window_obj = NULL; browser->getvalue(id(), NPNVWindowNPObject, &window_obj); @@ -67,6 +64,19 @@ int16 WindowlessPluginTest::HandleEvent(void* event) { NPError result = browser->evaluate(id(), window_obj, &script_string, &result_var); SignalTestCompleted(); + } else if (WM_LBUTTONUP == np_event->event && + test_name_ == "delete_frame_test") { + std::string script = + "javascript:parent.document.getElementById('frame').outerHTML = ''"; + NPString script_string; + script_string.UTF8Characters = script.c_str(); + script_string.UTF8Length = static_cast<unsigned int>(script.length()); + + NPObject *window_obj = NULL; + browser->getvalue(id(), NPNVWindowNPObject, &window_obj); + NPVariant result_var; + NPError result = browser->evaluate(id(), window_obj, + &script_string, &result_var); } // If this test failed, then we'd have crashed by now. return PluginTest::HandleEvent(event); diff --git a/webkit/glue/plugins/webplugin_delegate_impl.cc b/webkit/glue/plugins/webplugin_delegate_impl.cc index 87d02cb..cd11d07 100644 --- a/webkit/glue/plugins/webplugin_delegate_impl.cc +++ b/webkit/glue/plugins/webplugin_delegate_impl.cc @@ -220,7 +220,11 @@ WebPluginDelegateImpl::~WebPluginDelegateImpl() { } void WebPluginDelegateImpl::PluginDestroyed() { - delete this; + if (handle_event_depth_) { + MessageLoop::current()->DeleteSoon(FROM_HERE, this); + } else { + delete this; + } } bool WebPluginDelegateImpl::Initialize(const GURL& url, diff --git a/webkit/glue/plugins/webplugin_delegate_impl.h b/webkit/glue/plugins/webplugin_delegate_impl.h index a429e63..9110c47 100644 --- a/webkit/glue/plugins/webplugin_delegate_impl.h +++ b/webkit/glue/plugins/webplugin_delegate_impl.h @@ -90,6 +90,8 @@ class WebPluginDelegateImpl : public WebPluginDelegate { virtual int GetQuirks() const { return quirks_; } private: + friend class DeleteTask<WebPluginDelegateImpl>; + WebPluginDelegateImpl(gfx::NativeView containing_view, NPAPI::PluginInstance *instance); ~WebPluginDelegateImpl(); diff --git a/webkit/glue/webplugin_impl.cc b/webkit/glue/webplugin_impl.cc index 24748cc..1407b4d 100644 --- a/webkit/glue/webplugin_impl.cc +++ b/webkit/glue/webplugin_impl.cc @@ -863,9 +863,12 @@ void WebPluginImpl::handleMouseEvent(WebCore::MouseEvent* event) { if (!delegate_->HandleEvent(&np_event, &cursor)) event->setDefaultHandled(); + WebCore::Page* page = parent_view->frame()->page(); + if (!page) + return; + ChromeClientImpl* chrome_client = - static_cast<ChromeClientImpl*>( - parent_view->frame()->page()->chrome()->client()); + static_cast<ChromeClientImpl*>(page->chrome()->client()); // A windowless plugin can change the cursor in response to the WM_MOUSEMOVE // event. We need to reflect the changed cursor in the frame view as the diff --git a/webkit/tools/test_shell/plugin_tests.cc b/webkit/tools/test_shell/plugin_tests.cc index f2ad349..8759233 100644 --- a/webkit/tools/test_shell/plugin_tests.cc +++ b/webkit/tools/test_shell/plugin_tests.cc @@ -7,8 +7,10 @@ #include "base/file_util.h" #include "base/path_service.h" #include "base/string_util.h" +#include "net/base/escape.h" #include "testing/gtest/include/gtest/gtest.h" #include "third_party/WebKit/WebKit/chromium/public/WebScriptSource.h" +#include "third_party/WebKit/WebKit/chromium/public/WebInputEvent.h" #include "webkit/glue/webframe.h" #include "webkit/glue/webview.h" #include "webkit/tools/test_shell/test_shell.h" @@ -123,3 +125,22 @@ TEST_F(PluginTest, DefaultPluginLoadTest) { ASSERT_EQ(true, StartsWith(text, L"DONE", true)); } + +// Tests that if a frame is deleted as a result of calling NPP_HandleEvent, we +// don't crash. +TEST_F(PluginTest, DeleteFrameDuringEvent) { + FilePath test_html = data_dir_; + test_html = test_html.AppendASCII("plugins"); + test_html = test_html.AppendASCII("delete_frame.html"); + test_shell_->LoadURL(test_html.ToWStringHack().c_str()); + test_shell_->WaitTestFinished(); + + WebKit::WebMouseEvent input; + input.button = WebKit::WebMouseEvent::ButtonLeft; + input.x = 50; + input.y = 50; + input.type = WebKit::WebInputEvent::MouseUp; + test_shell_->webView()->HandleInputEvent(&input); + + // No crash means we passed. +} |