Candidate fix for bug 44108. The FromBindContext function was inherently racy as it returned a pointer to a non-addrefed pointer and the AddRef/Release implementation in the BindContextInfo was not thread safe.

Also fixed BSCBStorageBind object leak.

TEST=See bug description 
BUG=44108

Review URL: http://codereview.chromium.org/2080005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47306 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 9 insertions, 4 deletions

diff --git a/chrome_frame/bind_context_info.h b/chrome_frame/bind_context_info.h
index d41c440..07ec284 100644
--- a/chrome_frame/bind_context_info.h
+++ b/chrome_frame/bind_context_info.h
@@ -19,9 +19,10 @@ IBindContextInfoInternal : public IUnknown {
 
 // This class maintains contextual information used by ChromeFrame.
 // This information is maintained in the bind context.
-class BindContextInfo
-  : public IBindContextInfoInternal,
-    public CComObjectRoot {
+// Association with GUID_NULL is for convenience.
+class __declspec(uuid("00000000-0000-0000-0000-000000000000")) BindContextInfo
+  : public CComObjectRootEx<CComMultiThreadModel>,
+    public IBindContextInfoInternal {
  public:
   BindContextInfo();
   ~BindContextInfo();
@@ -33,7 +34,10 @@ class BindContextInfo
 
   // Returns the BindContextInfo instance associated with the bind
   // context. Creates it if needed.
-  static BindContextInfo* FromBindContext(IBindCtx* bind_context);
+  // The returned info object will be AddRef-ed on return, so use
+  // ScopedComPtr<>::Receive() to receive this pointer.
+  static HRESULT FromBindContext(IBindCtx* bind_context,
+                                 BindContextInfo** info);
 
   void set_chrome_request(bool chrome_request) {
     chrome_request_ = chrome_request;
@@ -79,6 +83,7 @@ class BindContextInfo
  protected:
   STDMETHOD(GetCppObject)(void** me) {
     DCHECK(me);
+    AddRef();
     *me = static_cast<BindContextInfo*>(this);
     return S_OK;
   }