diff options
author | mark@chromium.org <mark@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-16 20:31:10 +0000 |
---|---|---|
committer | mark@chromium.org <mark@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-16 20:31:10 +0000 |
commit | 9f816f720d145872fa7ad141bfe63ea090f3840f (patch) | |
tree | fe886c69e458cab0549e4596ad18bf0d53d40747 | |
parent | 642961926500acbcc3ada6f3a5f2dc1454c1a5a8 (diff) | |
download | chromium_src-9f816f720d145872fa7ad141bfe63ea090f3840f.zip chromium_src-9f816f720d145872fa7ad141bfe63ea090f3840f.tar.gz chromium_src-9f816f720d145872fa7ad141bfe63ea090f3840f.tar.bz2 |
The plugin channel host in the renderer process should not initialize IPC
using a known-closed channel name. Instead, when the channel name is known
to be closed, initialization should fail. On POSIX systems, the channel is
created by the plugin channel in the plugin process and shared with the
renderer process over IPC. If the channel closes, the renderer process must
not attempt to reestablish it; the plugin process must do that. This serves
as early detection for and an escape from the assertion that causes renderers
to die and be replaced by a sad tab when attempting to open multiple pages
with plugins simultaneously. This resolves the Mac renderer top crash.
BUG=26754
TEST=Test case from bug 26754 comment 9 (affected Macs only):
a. Have lots of bookmarks (import Safari defaults)
b. Right-click on bookmark bar, and choose "Open All Bookmarks"
Expect: no crash, no sad tabs.
This test should be repeated many times.
Review URL: http://codereview.chromium.org/984004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41755 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/renderer/plugin_channel_host.cc | 17 | ||||
-rw-r--r-- | ipc/ipc_channel_posix.cc | 8 | ||||
-rw-r--r-- | ipc/ipc_channel_posix.h | 3 |
3 files changed, 27 insertions, 1 deletions
diff --git a/chrome/renderer/plugin_channel_host.cc b/chrome/renderer/plugin_channel_host.cc index 7dfb3b7..bddf69f 100644 --- a/chrome/renderer/plugin_channel_host.cc +++ b/chrome/renderer/plugin_channel_host.cc @@ -7,6 +7,10 @@ #include "chrome/common/plugin_messages.h" #include "chrome/plugin/npobject_base.h" +#if defined(OS_POSIX) +#include "ipc/ipc_channel_posix.h" +#endif + #include "third_party/WebKit/WebKit/chromium/public/WebBindings.h" // A simple MessageFilter that will ignore all messages and respond to sync @@ -83,6 +87,19 @@ PluginChannelHost::~PluginChannelHost() { bool PluginChannelHost::Init(MessageLoop* ipc_message_loop, bool create_pipe_now) { +#if defined(OS_POSIX) + if (!IPC::ChannelSocketExists(channel_name())) { + // Attempting to use this IPC channel would result in a crash + // inside IPC code within the PluginChannelBase::Init call. The plugin + // channel in the plugin process is supposed to have created this channel + // and sent it to this process, the renderer process. If this channel + // closes and is removed, it cannot be reused until the plugin process + // recreates it. + LOG(ERROR) << "Refusing use of missing IPC channel " << channel_name(); + return false; + } +#endif + bool ret = PluginChannelBase::Init(ipc_message_loop, create_pipe_now); is_listening_filter_ = new IsListeningFilter; channel_->AddFilter(is_listening_filter_); diff --git a/ipc/ipc_channel_posix.cc b/ipc/ipc_channel_posix.cc index 545ad0c..f6b19f7 100644 --- a/ipc/ipc_channel_posix.cc +++ b/ipc/ipc_channel_posix.cc @@ -299,6 +299,11 @@ void RemoveAndCloseChannelSocket(const std::string& name) { } // static +bool ChannelSocketExists(const std::string& name) { + return Singleton<PipeMap>()->Lookup(name) != -1; +} + +// static bool SocketPair(int* fd1, int* fd2) { int pipe_fds[2]; if (socketpair(AF_UNIX, SOCK_STREAM, 0, pipe_fds) != 0) { @@ -362,7 +367,8 @@ bool Channel::ChannelImpl::CreatePipe(const std::string& channel_id, // initial channel must not be recycled here. http://crbug.com/26754. static bool used_initial_channel = false; if (used_initial_channel) { - LOG(FATAL) << "Denying attempt to reuse initial IPC channel"; + LOG(FATAL) << "Denying attempt to reuse initial IPC channel for " + << pipe_name_; return false; } used_initial_channel = true; diff --git a/ipc/ipc_channel_posix.h b/ipc/ipc_channel_posix.h index 714b150..dd45345 100644 --- a/ipc/ipc_channel_posix.h +++ b/ipc/ipc_channel_posix.h @@ -26,6 +26,9 @@ void AddChannelSocket(const std::string& name, int socket); // Remove the channel name mapping, and close the corresponding socket. void RemoveAndCloseChannelSocket(const std::string& name); +// Returns true if a channel named |name| is available. +bool ChannelSocketExists(const std::string& name); + // Construct a socket pair appropriate for IPC: UNIX domain, nonblocking. // Returns false on error. bool SocketPair(int* fd1, int* fd2); |