diff options
author | piman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-11 22:32:38 +0000 |
---|---|---|
committer | piman@chromium.org <piman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-08-11 22:32:38 +0000 |
commit | f9b1e69dc13119e673795c7ab5b7a302dcd68ee1 (patch) | |
tree | dacea87ffa47d536c99a0ef7e039a691a7df0ad3 /chrome/renderer | |
parent | 55b386100e56d244f8cf35d4485d28ab601cbfb2 (diff) | |
download | chromium_src-f9b1e69dc13119e673795c7ab5b7a302dcd68ee1.zip chromium_src-f9b1e69dc13119e673795c7ab5b7a302dcd68ee1.tar.gz chromium_src-f9b1e69dc13119e673795c7ab5b7a302dcd68ee1.tar.bz2 |
linux/mac: Fix race condition when destroying the renderer<->plugin channel
There is a race condition at plugin destruction on posix:
1- (renderer) WebPluginDelegateProxy1 opens a channel to the plugin
2- (plugin) new channel created, sends FD1 to renderer
3- (renderer) WebPluginDelegateProxy1 receives FD1, establishes the channel name -> FD1 mapping.
[...]
4- (renderer) WebPluginDelegateProxy1 asks the plugin to destroy an instance, and schedules self for delayed deletion which will release the channel and remove the mapping.
5- (plugin) this was the last instance, plugin closes its end of the channel, removes its mapping.
6- (renderer) WebPluginDelegateProxy2 opens a channel to the plugin
7- (plugin) new channel created, sends FD2 to renderer
8- (renderer) WebPluginDelegateProxy2 receives FD2, establishes the channel name -> FD2 mapping *ASSERT* because the mapping already exists (to FD1)
9- (renderer) WebPluginDelegateProxy1 deleted, causes channel host destruction and removing of channel name -> FD1 mapping
The channel host destruction in (9) needs to happen before (8). This CL does that.
BUG=18491
Review URL: http://codereview.chromium.org/165280
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23102 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/renderer')
-rw-r--r-- | chrome/renderer/webplugin_delegate_proxy.cc | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/chrome/renderer/webplugin_delegate_proxy.cc b/chrome/renderer/webplugin_delegate_proxy.cc index 4e35eff..58b1c52 100644 --- a/chrome/renderer/webplugin_delegate_proxy.cc +++ b/chrome/renderer/webplugin_delegate_proxy.cc @@ -208,6 +208,14 @@ void WebPluginDelegateProxy::PluginDestroyed() { if (channel_host_) { channel_host_->RemoveRoute(instance_id_); Send(new PluginMsg_DestroyInstance(instance_id_)); + // Release the channel host now. If we are is the last reference to the + // channel, this avoids a race where this renderer asks a new connection to + // the same plugin between now and the time 'this' is actually deleted. + // Destroying the channel host is what releases the channel name -> FD + // association on POSIX, and if we ask for a new connection before it is + // released, the plugin will give us a new FD, and we'll assert when trying + // to associate it with the channel name. + channel_host_ = NULL; } render_view_->PluginDestroyed(this); |