[Webkit-unassigned] [Bug 142905] New: [WinCairo] Crash when plugin window is destroyed.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 20 04:50:59 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=142905

            Bug ID: 142905
           Summary: [WinCairo] Crash when plugin window is destroyed.
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: peavo at outlook.com

I'm getting a reproducible crash when leaving a page with a windowed plugin. Leaving the page causes the plugin window to be destroyed with the Win32 api function DestroyWindow. This will send a syncrounous WM_PARENTNOTIFY message to the parent, in this case the WebView, see https://msdn.microsoft.com/en-us/library/windows/desktop/ms632682(v=vs.85).aspx. The WebView window procedure will, when processing the WM_PARENTNOTIFY message, call UpdateWindow to paint synchronously. This will cause reentrancy problems, since we're already called from WebCore code, and then reenter WebCore painting code. In this particular case, we crash because we try to paint a deleted RenderLayer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150320/87888f32/attachment-0002.html>

More information about the webkit-unassigned mailing list