summaryrefslogtreecommitdiffstats
path: root/chrome/renderer
diff options
context:
space:
mode:
authorpiman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-08-11 22:32:38 +0000
committerpiman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-08-11 22:32:38 +0000
commitf9b1e69dc13119e673795c7ab5b7a302dcd68ee1 (patch)
treedacea87ffa47d536c99a0ef7e039a691a7df0ad3 /chrome/renderer
parent55b386100e56d244f8cf35d4485d28ab601cbfb2 (diff)
downloadchromium_src-f9b1e69dc13119e673795c7ab5b7a302dcd68ee1.zip
chromium_src-f9b1e69dc13119e673795c7ab5b7a302dcd68ee1.tar.gz
chromium_src-f9b1e69dc13119e673795c7ab5b7a302dcd68ee1.tar.bz2
linux/mac: Fix race condition when destroying the renderer<->plugin channel
There is a race condition at plugin destruction on posix: 1- (renderer) WebPluginDelegateProxy1 opens a channel to the plugin 2- (plugin) new channel created, sends FD1 to renderer 3- (renderer) WebPluginDelegateProxy1 receives FD1, establishes the channel name -> FD1 mapping. [...] 4- (renderer) WebPluginDelegateProxy1 asks the plugin to destroy an instance, and schedules self for delayed deletion which will release the channel and remove the mapping. 5- (plugin) this was the last instance, plugin closes its end of the channel, removes its mapping. 6- (renderer) WebPluginDelegateProxy2 opens a channel to the plugin 7- (plugin) new channel created, sends FD2 to renderer 8- (renderer) WebPluginDelegateProxy2 receives FD2, establishes the channel name -> FD2 mapping *ASSERT* because the mapping already exists (to FD1) 9- (renderer) WebPluginDelegateProxy1 deleted, causes channel host destruction and removing of channel name -> FD1 mapping The channel host destruction in (9) needs to happen before (8). This CL does that. BUG=18491 Review URL: http://codereview.chromium.org/165280 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23102 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/renderer')
-rw-r--r--chrome/renderer/webplugin_delegate_proxy.cc8
1 files changed, 8 insertions, 0 deletions
diff --git a/chrome/renderer/webplugin_delegate_proxy.cc b/chrome/renderer/webplugin_delegate_proxy.cc
index 4e35eff..58b1c52 100644
--- a/chrome/renderer/webplugin_delegate_proxy.cc
+++ b/chrome/renderer/webplugin_delegate_proxy.cc
@@ -208,6 +208,14 @@ void WebPluginDelegateProxy::PluginDestroyed() {
if (channel_host_) {
channel_host_->RemoveRoute(instance_id_);
Send(new PluginMsg_DestroyInstance(instance_id_));
+ // Release the channel host now. If we are is the last reference to the
+ // channel, this avoids a race where this renderer asks a new connection to
+ // the same plugin between now and the time 'this' is actually deleted.
+ // Destroying the channel host is what releases the channel name -> FD
+ // association on POSIX, and if we ask for a new connection before it is
+ // released, the plugin will give us a new FD, and we'll assert when trying
+ // to associate it with the channel name.
+ channel_host_ = NULL;
}
render_view_->PluginDestroyed(this);