commit 9fd200072e9b93a098e2b8402ec51f69936f064e
author ap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Jul 01 18:47:57 2010 +0000
committer ap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Jul 01 18:47:57 2010 +0000
tree b3622d9fc59a6aa850e52ccb887fe493df65ca28
parent e6be7c2d4aa3a6417e24fcfd809075978bf34a3a

WebCore:
        Reviewed by Darin Adler.

        <rdar://problem/8148656> <https://bugs.webkit.org/show_bug.cgi?id=41431>
        REGRESSION (r49411): Various crashes due to JavaScript execution during plug-in destruction

        Test: plugins/write-xssauditor-from-destroy.html

        Fix specific known cases that also crash in same process case. I don't know if there is
        any rule for when documentLoader should be checked for being null, it looks like a mess.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::referrer):
        * page/XSSAuditor.cpp:
        (WebCore::XSSAuditor::findInRequest):

WebKit:

        <rdar://problem/8148656> <https://bugs.webkit.org/show_bug.cgi?id=41431>
        REGRESSION (r49411): Various crashes due to JavaScript execution during plug-in destruction

        Strengthen m_inDestroy "swipe under the carpet" fix.

        * Plugins/Hosted/NetscapePluginInstanceProxy.h: Added a long comment about m_inDestroy, and
        changed it to static.

        * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
        (WebKit::NetscapePluginInstanceProxy::NetscapePluginInstanceProxy): m_inDestroy is now
        static, so we don't initialize it in constructor.
        (WebKit::NetscapePluginInstanceProxy::destroy): Assert that we aren't already destroying
        some plug-in.
        (WebKit::NetscapePluginInstanceProxy::evaluate): This function accidentally lacked an
        m_inDestroy check in r42789.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@62279 268f45cc-cd09-0410-ab3c-d52691b4dbfc

WebCore/ChangeLog

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 721b294..6b397f6 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-07-01  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Darin Adler.
+
+        <rdar://problem/8148656> <https://bugs.webkit.org/show_bug.cgi?id=41431>
+        REGRESSION (r49411): Various crashes due to JavaScript execution during plug-in destruction
+
+        Test: plugins/write-xssauditor-from-destroy.html
+
+        Fix specific known cases that also crash in same process case. I don't know if there is
+        any rule for when documentLoader should be checked for being null, it looks like a mess.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::referrer):
+        * page/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::findInRequest):
+
 2010-07-01  Andreas Kling  <andreas.kling@nokia.com>
 
         Reviewed by Darin Adler.

WebCore/loader/FrameLoader.cpp

diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 693e985..09a981b 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -3352,7 +3352,7 @@
 
 String FrameLoader::referrer() const
 {
-    return documentLoader()->request().httpReferrer();
+    return m_documentLoader ? m_documentLoader->request().httpReferrer() : "";
 }
 
 void FrameLoader::dispatchDocumentElementAvailable()

WebCore/page/XSSAuditor.cpp

diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 33a0951..22506b2 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -362,7 +362,11 @@
     if (task.string.isEmpty())
         return false;
 
-    FormData* formDataObj = frame->loader()->documentLoader()->originalRequest().httpBody();
+    DocumentLoader *documentLoader = frame->loader()->documentLoader();
+    if (!documentLoader)
+        return false;
+
+    FormData* formDataObj = documentLoader->originalRequest().httpBody();
     const bool hasFormData = formDataObj && !formDataObj->isEmpty();
     String pageURL = frame->document()->url().string();