[Webkit-unassigned] [Bug 80428] New: HTMLPluginElement is not destroyed on reload or navigation if getNPObject is called

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 6 10:30:18 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=80428

           Summary: HTMLPluginElement is not destroyed on reload or
                    navigation if getNPObject is called
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Plug-ins
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dmichael at chromium.org
                CC: wez at chromium.org


This bug has been spotted before, but the fix didn't cover all cases:
https://bugs.webkit.org/show_bug.cgi?id=66181

HTMLPluginElement::getNPObject looks like this:
"""
    ASSERT(document()->frame());
    if (!m_NPObject)
        m_NPObject = document()->frame()->script()->createScriptObjectForPluginElement(this);
    return m_NPObject;
"""
After this point, the NPObject (via the relevant JavaScript bindings) holds a reference on the HTMLPluginElement, and the HTMLPluginElement also owns a reference on the NPObject that wraps it. This is a circular reference, so without intervention, the HTMLPluginElement will never be destroyed.

(Probably, getNPObject should have just passed its NPObject reference to callers to avoid ever having. However, changing this behavior is probably too disruptive to existing code).

The patch in:
https://bugs.webkit.org/show_bug.cgi?id=66181
added:
"""
void HTMLPlugInElement::removedFromDocument()
{
#if ENABLE(NETSCAPE_PLUGIN_API)
    printf("removedFromDocument; m_NPObject: %p.\n", m_NPObject);
    if (m_NPObject) {
        _NPN_ReleaseObject(m_NPObject);
        m_NPObject = 0;
    }
#endif

    HTMLFrameOwnerElement::removedFromDocument();
}
"""
This way, when the plugin element is removed from the document, the circular reference is cleared and the HTMLPluginElement can be destroyed.

However, since removedFromDocument is not run on reload (nor, I think, on navigation), the HTMLPluginElement is still left in memory on reload or navigation. This tends to retain the associated Document object in memory.

I think the right approach (which wez suggested in his previous bug) is to release m_NPObject in detach(). I'll upload a patch soon, though I'm still struggling with coming up with a good way to write an automated test to reproduce this.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list