[Webkit-unassigned] [Bug 119044] [Win] Crash after plugin is unloaded.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 15 08:16:04 PDT 2014


--- Comment #11 from peavo at outlook.com  2014-07-15 08:16:20 PST ---
(In reply to comment #10)

Thanks for looking into this :)

> I still don't understand why this is an issue. In the PluginView destructor, we call:
>     m_parentFrame->script().cleanupScriptObjectsForPlugin(this);
> which invalidates all the objects created by that plug-in.This calls RootObject::invalidate() which invalidates all runtime objects using RuntimeObject::invalidate() which nulls out the instance.
> I think you should focus your effort on determining if/why that's not working correctly.

I believe some runtime objects are not invalidated, because they have become "zombies". See line 112 in runtime_root.cpp (pasted below), where the invalidate call is skipped if the weak reference is null.
The weak reference is null because the object is in the WeakImpl::Dead state.
If one of these "zombie" objects are garbage collected after the plugin is unloaded, we crash.

103    void RootObject::invalidate()
104    {
105        if (!m_isValid)
106            return;
108        {
109            HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator end = m_runtimeObjects.end();
110            for (HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator it = m_runtimeObjects.begin(); it != end; ++it) {
111                RuntimeObject* runtimeObject = it->value.get();
112                if (!runtimeObject) // Skip zombies.
113                    continue;
114                runtimeObject->invalidate();
115            }
117            m_runtimeObjects.clear();
118        }

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list