diff options
| author | eroman@chromium.org <eroman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-30 01:15:06 +0000 |
|---|---|---|
| committer | eroman@chromium.org <eroman@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-30 01:15:06 +0000 |
| commit | c16ed34dad105cd5e8a1f0215f3650cf31507bc6 (patch) | |
| tree | d07f96e51233c07a763777614b7602da3019c7e6 /content/plugin | |
| parent | 6e9fc216b0e54f78abaf9faee62aa7bd0d786e21 (diff) | |
| download | chromium_src-c16ed34dad105cd5e8a1f0215f3650cf31507bc6.zip chromium_src-c16ed34dad105cd5e8a1f0215f3650cf31507bc6.tar.gz chromium_src-c16ed34dad105cd5e8a1f0215f3650cf31507bc6.tar.bz2 | |
NULL nobject_ in the stub prior to deallocating the object, to avoid re-entrancy into NPObjectStub::DeleteSoon() during NPObjectStub::OnChannelError() from double-deleting the stub.
BUG=94179
Review URL: http://codereview.chromium.org/7792007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@98746 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/plugin')
| -rw-r--r-- | content/plugin/npobject_stub.cc | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/content/plugin/npobject_stub.cc b/content/plugin/npobject_stub.cc index 34d631d..9b94385 100644 --- a/content/plugin/npobject_stub.cc +++ b/content/plugin/npobject_stub.cc @@ -116,9 +116,16 @@ void NPObjectStub::DeleteSoon(bool release_npobject) { if (npobject_) { channel_->RemoveMappingForNPObjectStub(route_id_, npobject_); - if (release_npobject) - WebBindings::releaseObject(npobject_); + + // We need to NULL npobject_ prior to calling releaseObject() to avoid + // problems with re-entrancy. See http://crbug.com/94179#c17 for more + // details on how this can happen. + NPObject* npobject = npobject_; npobject_ = NULL; + + if (release_npobject) + WebBindings::releaseObject(npobject); + MessageLoop::current()->PostTask( FROM_HERE, NewRunnableFunction( |