<rdar://problem/8098442> Crash in Widget::setFrameRect()
https://bugs.webkit.org/show_bug.cgi?id=52375
Reviewed by Simon Fraser.
Source/WebCore:
Test: plugins/destroy-on-setwindow.html
* platform/mac/WidgetMac.mm:
(WebCore::Widget::setFrameRect): Protect the Widget from being deleted as a result of calling
out to the view.
(WebCore::Widget::getOuterView): Coding style fix.
(WebCore::Widget::paint): Protect the Widget from being deleted as a result of calling out to
the views. This is precautionary, since this function does not applear to access member variables
after such calls.
* platform/wx/WidgetWx.cpp:
(WebCore::Widget::setFrameRect): Protect the Widget from being deleted as a result of calling
out to the platform widget.
LayoutTests:
* plugins/destroy-on-setwindow-expected.txt: Added.
* plugins/destroy-on-setwindow.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@75720 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/plugins/destroy-on-setwindow.html b/LayoutTests/plugins/destroy-on-setwindow.html
new file mode 100644
index 0000000..9976ed4
--- /dev/null
+++ b/LayoutTests/plugins/destroy-on-setwindow.html
@@ -0,0 +1,23 @@
+<p>
+ Test that a plug-in that causes its Widget to be destroyed during setWindow does not cause a crash.
+</p>
+<embed id="plug-in" type="application/x-webkit-test-netscape" onSetWindow="handleSetWindow()">
+<script>
+ var plugIn = document.getElementById("plug-in");
+ var count = 0;
+
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ function handleSetWindow()
+ {
+ count++;
+
+ if (count == 2)
+ plugIn.style.width = "500px";
+ else if (count == 3)
+ plugIn.parentNode.removeChild(plugIn);
+ }
+
+ handleSetWindow();
+</script>
