OSDN Git Service
Fix V8 crashes with plugins. The extra call to _NPN_ReleaseObject inside forgetV8ObjectForNPObject is causing a double deletion.
In ScriptController::clearScriptObjects, we call Unregister (which without this change causes Release to get called in forgetV8ObjectForNpObject).
If the ref count gets to 0, we free the object in Release. Then when Unregister returns, we call Release again in the ScriptController with the
same just-free'd pointer. If we're unlucky, then the Deallocate and free gets called again. We're also trying to access members such as the reference
count and deallocation function through a dead pointer.
Also, in the case where the Flash does not clear it's window object, we call Deallocate directly inside ScriptController::clearScriptObjects. This causes
Unregister to get called (as the object is still alive) which calls Release through forgetV8ObjectForNPObject, which results in a recursive call to Deallocate,
which frees the memory. Then the stack unwinds and we happily try to free again from the first call to Deallocate.
Fix these issues by removing the extra call to NPN_ReleaseObject in forgetV8ObjectForNpObject.
Change-Id: I7f6d21cd4ff38e29bd1a178e4816d023560b6b16
OSDN Git Service
