1 files changed, 19 insertions, 3 deletions

diff --git a/src/3rdparty/webkit/WebCore/plugins/PluginView.cpp b/src/3rdparty/webkit/WebCore/plugins/PluginView.cpp
index 2c5adc5e0b..8737572a01 100644
--- a/src/3rdparty/webkit/WebCore/plugins/PluginView.cpp
+++ b/src/3rdparty/webkit/WebCore/plugins/PluginView.cpp
@@ -239,8 +239,12 @@ void PluginView::performRequest(PluginRequest* request)
             m_streams.add(stream);
             stream->start();
         } else {
+            // If the target frame is our frame, we could destroy the
+            // PluginView, so we protect it. <rdar://problem/6991251>
+            RefPtr<PluginView> protect(this);
+
             m_parentFrame->loader()->load(request->frameLoadRequest().resourceRequest(), targetFrameName, false);
-      
+
             // FIXME: <rdar://problem/4807469> This should be sent when the document has finished loading
             if (request->sendNotification()) {
                 PluginView::setCurrentPluginView(this);
@@ -481,6 +485,11 @@ PassRefPtr<JSC::Bindings::Instance> PluginView::bindingInstance()
     if (!m_plugin || !m_plugin->pluginFuncs()->getvalue)
         return 0;
 
+    // On Windows, calling Java's NPN_GetValue can allow the message loop to
+    // run, allowing loading to take place or JavaScript to run. Protect the
+    // PluginView from destruction. <rdar://problem/6978804>
+    RefPtr<PluginView> protect(this);
+
     NPError npErr;
     {
         PluginView::setCurrentPluginView(this);
@@ -491,6 +500,13 @@ PassRefPtr<JSC::Bindings::Instance> PluginView::bindingInstance()
         PluginView::setCurrentPluginView(0);
     }
 
+    if (hasOneRef()) {
+        // The renderer for the PluginView was destroyed during the above call, and
+        // the PluginView will be destroyed when this function returns, so we
+        // return null.
+        return 0;
+    }
+
     if (npErr != NPERR_NO_ERROR || !object)
         return 0;
 
@@ -667,7 +683,7 @@ bool PluginView::isCallingPlugin()
     return s_callingPlugin > 0;
 }
 
-PluginView* PluginView::create(Frame* parentFrame, const IntSize& size, Element* element, const KURL& url, const Vector<String>& paramNames, const Vector<String>& paramValues, const String& mimeType, bool loadManually)
+PassRefPtr<PluginView> PluginView::create(Frame* parentFrame, const IntSize& size, Element* element, const KURL& url, const Vector<String>& paramNames, const Vector<String>& paramValues, const String& mimeType, bool loadManually)
 {
     // if we fail to find a plugin for this MIME type, findPlugin will search for
     // a plugin by the file extension and update the MIME type, so pass a mutable String
@@ -680,7 +696,7 @@ PluginView* PluginView::create(Frame* parentFrame, const IntSize& size, Element*
         plugin = PluginDatabase::installedPlugins()->findPlugin(url, mimeTypeCopy);
     }
 
-    return new PluginView(parentFrame, size, plugin, element, url, paramNames, paramValues, mimeTypeCopy, loadManually);
+    return adoptRef(new PluginView(parentFrame, size, plugin, element, url, paramNames, paramValues, mimeTypeCopy, loadManually));
 }
 
 void PluginView::freeStringArray(char** stringArray, int length)