Fix pepper crash when reattaching plugins in style recalc

Method document::updateLayoutTree creates ScriptForbiddenScope. An HTML plugin can be reattached while updating layout tree. Pepper plugin can be destroyed while reattaching and executes some scripts. This execution produces crash on ScriptForbidden assert. BUG=550427 R=pfeldman@chromium.org,dcheng@chromium.org,dgozman@chromium.org Review URL: https://codereview.chromium.org/1693003002 Cr-Commit-Position: refs/heads/master@{#376084}

Fix pepper crash when reattaching plugins in style recalc
Method document::updateLayoutTree creates ScriptForbiddenScope. An HTML plugin can be reattached while updating layout tree. Pepper plugin can be destroyed while reattaching and executes some scripts. This execution produces crash on ScriptForbidden assert. BUG=550427 R=pfeldman@chromium.org,dcheng@chromium.org,dgozman@chromium.org Review URL: https://codereview.chromium.org/1693003002 Cr-Commit-Position: refs/heads/master@{#376084}
4d5765f4 · kozyatinskiy · Commit bot · 93628b8a · 4d5765f4
Commit 4d5765f4 authored Feb 17, 2016 by kozyatinskiy Committed by Commit bot Feb 18, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

third_party/WebKit/Source/core/dom/Document.cpp third_party/WebKit/Source/core/dom/Document.cpp +4 -0

No files found.
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -1729,6 +1729,10 @@ void Document::updateLayoutTree(StyleRecalcChange change)
    ASSERT(isMainThread());

    ScriptForbiddenScope forbidScript;
+    // We should forbid script execution for plugins here because update while layout is changing,
+    // HTMLPlugin element can be reattached and plugin can be destroyed. Plugin can execute scripts
+    // on destroy. It produces crash without PluginScriptForbiddenScope: crbug.com/550427.
+    PluginScriptForbiddenScope pluginForbidScript;

    if (!view() || !isActive())
        return;