[Webkit-unassigned] [Bug 119044] [Win] Crash after plugin is unloaded.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 15 08:16:04 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=119044
--- Comment #11 from peavo at outlook.com 2014-07-15 08:16:20 PST ---
(In reply to comment #10)
Thanks for looking into this :)
> I still don't understand why this is an issue. In the PluginView destructor, we call:
>
> m_parentFrame->script().cleanupScriptObjectsForPlugin(this);
>
> which invalidates all the objects created by that plug-in.This calls RootObject::invalidate() which invalidates all runtime objects using RuntimeObject::invalidate() which nulls out the instance.
>
> I think you should focus your effort on determining if/why that's not working correctly.
I believe some runtime objects are not invalidated, because they have become "zombies". See line 112 in runtime_root.cpp (pasted below), where the invalidate call is skipped if the weak reference is null.
The weak reference is null because the object is in the WeakImpl::Dead state.
If one of these "zombie" objects are garbage collected after the plugin is unloaded, we crash.
103 void RootObject::invalidate()
104 {
105 if (!m_isValid)
106 return;
107
108 {
109 HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator end = m_runtimeObjects.end();
110 for (HashMap<RuntimeObject*, JSC::Weak<RuntimeObject>>::iterator it = m_runtimeObjects.begin(); it != end; ++it) {
111 RuntimeObject* runtimeObject = it->value.get();
112 if (!runtimeObject) // Skip zombies.
113 continue;
114 runtimeObject->invalidate();
115 }
116
117 m_runtimeObjects.clear();
118 }
119
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list