[Webkit-unassigned] [Bug 13120] New: Plug-ins that draw through the QuickDraw interface may crash by hanging onto old GWorlds.

Mon Mar 19 11:56:38 PDT 2007

http://bugs.webkit.org/show_bug.cgi?id=13120

           Summary: Plug-ins that draw through the QuickDraw interface may
                    crash by hanging onto old GWorlds.
           Product: WebKit
           Version: 522+ (nightly)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: UNCONFIRMED
          Severity: Blocker
          Priority: P2
         Component: Plug-ins
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mark.a at apple.com
                CC: bruceq at apple.com

This is related to http://bugs.webkit.org/show_bug.cgi?id=12515.  It turns out
that Flash plugins in particular may hang onto the GWorlds that are generated
during update events and re-use them when responding to other events (e.g.
"data came back from the internet" events).

In particular, this snippet will cause Flash to crash when WebKit draws inside
a bitmap CGContext:

<html> <head><title></title></head> <body>
<script type="text/javascript"
src="http://widgetserver.com/syndication/subscriber/InsertPanel.js?panelId=59c092a7-2fcb-418d-a633-40d76fac6bc5"></script>
</body>

The plugin hangs onto the GWorld pointer created by the new code written for
http://bugs.webkit.org/show_bug.cgi?id=12515 .  However, the new code disposes
that GWorld immediately after the response to the initial event is complete. 
When the plugin gets some data back from the Internet, it tries to draw to that
disposed GWorld.

This is on Mac OS X 10.4.9 with WebKit 522+.

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.