Comment 7 for bug 724587

This is the same report as https://bugs.launchpad.net/ubuntu/+source/nspluginwrapper/+bug/724587 on Ubuntu; I'm filing here too because, as far as I can tell, nspluginwrapper no longer has an upstream.
---

nspluginwrapper has a race condition during NPP_Destroy (called when a tab is closed) that can crash the plugin. The race happens particularly often when another tab has a video playing; I suspect this is because it causes enough traffic over the IPC to delay the processes and trigger the race.

If NPP_Destroy is called by the wrapper process at the same time the viewer (plugin) process makes some call, then, from the plugin's perspective, its call to NPN_InvalidateRect resulted in the plugin instance being destroyed from under its feet. This is, of course, nonsense, so Flash shortly crashes to let us know how silly we are being. :-)

I've written patches for this issue here
https://github.com/davidben/nspluginwrapper/commits/master

Only the second of the two patches is strictly relevant. (The other is a separate race I came across in a previous iteration of this patch.) It detects when NPP_Destroy is being called at an unsafe point and delays it to another message loop iteration. With the caveat that requests can't be reordered. So, when it must, the patch lies to the wrapper about NPP_Destroy's return values. Any delayed NPSavedData gets discarded. That said, I've never seen Flash use this feature, and the docs do allow the browser to discard them arbitrarily.

The relevant bug in Chromium is here:
http://code.google.com/p/chromium/issues/detail?id=53940