Ignore:
Timestamp:
Jun 14, 2007, 2:43:03 PM (18 years ago)
Author:
andersca
Message:

JavaScriptCore:

Reviewed by Darin.

<rdar://problem/5103077>
Crash at _NPN_ReleaseObject when quitting page at http://eshop.macsales.com/shop/ModBook


<rdar://problem/5183692>
http://bugs.webkit.org/show_bug.cgi?id=13547
REGRESSION: Crash in _NPN_ReleaseObject when closing Safari on nba.com (13547)


<rdar://problem/5261499>
CrashTracer: [USER] 75 crashes in Safari at com.apple.JavaScriptCore: KJS::Bindings::CInstance::~CInstance + 40


Have the root object track all live instances of RuntimeObjectImp. When invalidating
the root object, also invalidate all live runtime objects by zeroing out their instance ivar.
This prevents instances from outliving their plug-ins which lead to crashes.


  • bindings/c/c_utility.cpp: (KJS::Bindings::convertValueToNPVariant):
  • bindings/jni/jni_jsobject.cpp: (JavaJSObject::convertValueToJObject):
  • bindings/jni/jni_utility.cpp: (KJS::Bindings::convertValueToJValue):
  • bindings/objc/objc_runtime.mm: (ObjcFallbackObjectImp::callAsFunction):
  • bindings/runtime_array.cpp: (RuntimeArray::RuntimeArray):
  • bindings/runtime_array.h: (KJS::RuntimeArray::getConcreteArray):
  • bindings/runtime_method.cpp: (RuntimeMethod::callAsFunction):
  • bindings/runtime_method.h:
  • bindings/runtime_object.cpp: (RuntimeObjectImp::RuntimeObjectImp): (RuntimeObjectImp::~RuntimeObjectImp): (RuntimeObjectImp::invalidate): (RuntimeObjectImp::fallbackObjectGetter): (RuntimeObjectImp::fieldGetter): (RuntimeObjectImp::methodGetter): (RuntimeObjectImp::getOwnPropertySlot): (RuntimeObjectImp::put): (RuntimeObjectImp::canPut): (RuntimeObjectImp::defaultValue): (RuntimeObjectImp::implementsCall): (RuntimeObjectImp::callAsFunction): (RuntimeObjectImp::getPropertyNames): (RuntimeObjectImp::throwInvalidAccessError):
  • bindings/runtime_object.h:
  • bindings/runtime_root.cpp: (KJS::Bindings::RootObject::invalidate): (KJS::Bindings::RootObject::addRuntimeObject): (KJS::Bindings::RootObject::removeRuntimeObject):
  • bindings/runtime_root.h:

LayoutTests:

Reviewed by Darin.

Add test that manipulates plug-in script objects after the plug-in has been destroyed.


  • plugins/netscape-destroy-plugin-script-objects-expected.txt: Added.
  • plugins/netscape-destroy-plugin-script-objects.html: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/bindings/runtime_method.h

    r23478 r23538  
    3939    RuntimeMethod(ExecState *exec, const Identifier &n, Bindings::MethodList &methodList);
    4040   
    41     virtual ~RuntimeMethod();
    42 
    4341    virtual bool getOwnPropertySlot(ExecState *, const Identifier&, PropertySlot&);
    4442
Note: See TracChangeset for help on using the changeset viewer.