Remove the detach-but-don't-release special-case for the window script object.

- Why remove the special case?

WebKit's script controllers have a special-case for the window script object, which deallocates it regardless of reference-count, on the assumption that by the time the relevant call (clearScriptObjects) is made, no callers can remain which hold references to it - this prevents it from lingering indfinitely if the plugin forgets to release it.

WebPluginDelegateProxy has a special-case for handling the window script object, which tries to cope with the case where clearScriptObjects has been called before the plugin is destroyed (which should never happen), by avoiding trying to release the window script object, and instead relying on WebKit deallocating it.

This workaround doesn't actually work; if WebKit is behaving then the object exists at plugin teardown time, and it's safe for code to touch it.  If it doesn't exist any more, then we may still touch it if the plugin tries to script the window, or to release the reference.  Even if neither of those occur, the stub for the object may release it when the last plugin instance's channel is torn-down, before the workaround can be hit.

We still need to explicitly tear-down the window script object's stub if the plugin failed to release it, so that it won't linger and end up being released after WebKit has already deallocated it.

Review URL: http://codereview.chromium.org/7696016

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@99869 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 9 insertions, 12 deletions

diff --git a/content/plugin/npobject_stub.cc b/content/plugin/npobject_stub.cc
index 79aae70..b3e1441 100644
--- a/content/plugin/npobject_stub.cc
+++ b/content/plugin/npobject_stub.cc
@@ -39,7 +39,7 @@ NPObjectStub::~NPObjectStub() {
   CHECK(!npobject_);
 }
 
-void NPObjectStub::DeleteSoon(bool release_npobject) {
+void NPObjectStub::DeleteSoon() {
   if (npobject_) {
     channel_->RemoveMappingForNPObjectStub(route_id_, npobject_);
 
@@ -49,8 +49,7 @@ void NPObjectStub::DeleteSoon(bool release_npobject) {
     NPObject* npobject = npobject_;
     npobject_ = NULL;
 
-    if (release_npobject)
-      WebBindings::releaseObject(npobject);
+    WebBindings::releaseObject(npobject);
 
     MessageLoop::current()->DeleteSoon(FROM_HERE, this);
   }
@@ -102,12 +101,12 @@ bool NPObjectStub::OnMessageReceived(const IPC::Message& msg) {
 }
 
 void NPObjectStub::OnChannelError() {
-  DeleteSoon(true);
+  DeleteSoon();
 }
 
 void NPObjectStub::OnRelease(IPC::Message* reply_msg) {
   Send(reply_msg);
-  DeleteSoon(true);
+  DeleteSoon();
 }
 
 void NPObjectStub::OnHasMethod(const NPIdentifier_Param& name,
diff --git a/content/plugin/npobject_stub.h b/content/plugin/npobject_stub.h
index 3584cfe..d48fa09 100644
--- a/content/plugin/npobject_stub.h
+++ b/content/plugin/npobject_stub.h
@@ -38,13 +38,11 @@ class NPObjectStub : public IPC::Channel::Listener,
                const GURL& page_url);
   virtual ~NPObjectStub();
 
-  // Cause the stub to ignore any further IPC messages, and to tear itself down
-  // the next time control returns to the message loop.
-  // The NPObject will be released only if |release_npobject| is true.
-  // This is used for the window script object stub in the renderer, which is
-  // freed with NPN_DeallocateObject to avoid leaks, and so we must not try to
-  // release it.
-  void DeleteSoon(bool release_npobject);
+  // Schedules tear-down of this stub.  The underlying NPObject reference is
+  // released, and further invokations form the IPC channel will fail once this
+  // call has returned.  Deletion of the stub is deferred to the main loop, in
+  // case it is touched as the stack unwinds.
+  void DeleteSoon();
 
   // IPC::Message::Sender implementation:
   virtual bool Send(IPC::Message* msg);