[webkit-dev] crash during plugin unload
tmalsbar at codeaurora.org
tmalsbar at codeaurora.org
Thu May 12 11:13:56 PDT 2011
Hello,
I am seeing a crash in the android browser when unloading an NPAPI plugin
I am developing. I do not see the problem in chrome, so am wondering if
anyone can help me sort out what's different between the two.
The test web page is passing a JS object to the plugin, which calls
NPN_SetProperty on the JS object with a couple of plugin created objects.
When the <object> element is removed as the page is getting cleaned up,
the browser does not release the plugin created object until after it
unloads the plugin. At that point the code for deallocate doesn't exist
anymore, so the browser crashes.
Looking into the code a bit, I see that plugin created objects are
registered with an owner object, and that cleanup will remove the
sub-objects of the owner (this is in the V8 binding). However I also see
that in WebCore/bindings/v8/NPV8Object.cpp, the owner for set property is
object->rootObject->frame()->script()->windowScriptNPObject(): the window
object, not the <object>. So it looks as though it will not be considered
a sub-object of <object>, and therefore not be released before the plugin
is unloaded.
Is this a bug, or am I missing something more fundamental here? Also, if
this is more appropriate to one of the android lists, please let me know.
This looks like common code so I'm starting with this list.
Other info: I've verified that the referenceCount field is correct on the
plugin created object. I also see the problem with other plugin-created
objects having window as an owner and not getting released before the
plugin is unloaded.
Thanks,
-Todd
More information about the webkit-dev
mailing list