diff options
| author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-04 00:40:27 +0000 |
|---|---|---|
| committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-11-04 00:40:27 +0000 |
| commit | 67d3db3299f54699716f9b736ddc22a522af7b81 (patch) | |
| tree | 34ef3b51eeaec17cca2c156b92b5089147fdf0b1 /chrome/renderer/webplugin_delegate_proxy.cc | |
| parent | 98c01eda0df03da5b7a611edc5698b1ebb075967 (diff) | |
| download | chromium_src-67d3db3299f54699716f9b736ddc22a522af7b81.zip chromium_src-67d3db3299f54699716f9b736ddc22a522af7b81.tar.gz chromium_src-67d3db3299f54699716f9b736ddc22a522af7b81.tar.bz2 | |
Fix for crash in NPN_Invoke. This happened because the window script NPObject was deallocated by the script controller but WebPluginDelegateProxy wasn't telling NPObjectStub that it's contained object was garbage soon enough.
BUG=1036087
Review URL: http://codereview.chromium.org/9066
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4526 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/renderer/webplugin_delegate_proxy.cc')
| -rw-r--r-- | chrome/renderer/webplugin_delegate_proxy.cc | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/chrome/renderer/webplugin_delegate_proxy.cc b/chrome/renderer/webplugin_delegate_proxy.cc index 315fc89..67dcce2 100644 --- a/chrome/renderer/webplugin_delegate_proxy.cc +++ b/chrome/renderer/webplugin_delegate_proxy.cc @@ -149,30 +149,32 @@ WebPluginDelegateProxy::WebPluginDelegateProxy(const std::string& mime_type, } WebPluginDelegateProxy::~WebPluginDelegateProxy() { - if (npobject_) +} + +void WebPluginDelegateProxy::PluginDestroyed() { + plugin_ = NULL; + + if (npobject_) { + // When we destroy the plugin instance, the NPObjectStub NULLs out its + // pointer to the npobject (see NPObjectStub::OnChannelError). Therefore, + // we release the object before destroying the instance to avoid leaking. NPN_ReleaseObject(npobject_); + npobject_ = NULL; + } if (window_script_object_) { + // The ScriptController deallocates this object independent of its ref count + // to avoid leaks if the plugin forgets to release it. So mark the object + // invalid to avoid accessing it past this point. window_script_object_->set_proxy(NULL); window_script_object_->set_invalid(); } -} - -void WebPluginDelegateProxy::PluginDestroyed() { - plugin_ = NULL; if (channel_host_) { - if (npobject_) { - // When we destroy the plugin instance, the NPObjectStub NULLs out its - // pointer to the npobject (see NPObjectStub::OnChannelError). Therefore, - // we release the object before destroying the instance to avoid leaking. - NPN_ReleaseObject(npobject_); - npobject_ = NULL; - } - channel_host_->RemoveRoute(instance_id_); Send(new PluginMsg_DestroyInstance(instance_id_)); } + render_view_->PluginDestroyed(this); MessageLoop::current()->DeleteSoon(FROM_HERE, this); } |