diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-06-21 23:38:54 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-06-21 23:38:54 +0000 |
| commit | 35c65c3f9672d7ebc2668f2375a4bc46b564a1db (patch) | |
| tree | cb413feb0ae362b1b1864786b2d0331618505aa1 /content | |
| parent | 2deab81fb7d992a24ab6bd7b60d80589b746d836 (diff) | |
| download | chromium_src-35c65c3f9672d7ebc2668f2375a4bc46b564a1db.zip chromium_src-35c65c3f9672d7ebc2668f2375a4bc46b564a1db.tar.gz chromium_src-35c65c3f9672d7ebc2668f2375a4bc46b564a1db.tar.bz2 | |
Fix a plugin process crash which occurs in the destructor of the NPObjectProxy object.
Here we send out a sync message NPObjectMsg_Release to the renderer to destroy the corresponding stub.
In the context of this outgoing sync call we get an incoming sync message to create a new plugin instance.
The plugin in this context retrieves the window object and eventually invokes on it. The NPObjectProxy instance
is reused if it points to same underlying NPObject. This is reused based on the existence of the NPObjectProxy
routing id in a map maintained by the plugin channel.
In this case we end up reusing an NPObjectProxy instance which is being destroyed. This results in a crash
when the call sequence unwinds.
Fix is to remove the NPObjectProxy routing id from the channel map before sending out the NPObjectMsg_Release
sync message.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=86576
BUG=86576
TEST=manually as described in the bug.
Review URL: http://codereview.chromium.org/7201013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@89930 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content')
| -rw-r--r-- | content/plugin/npobject_proxy.cc | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/content/plugin/npobject_proxy.cc b/content/plugin/npobject_proxy.cc index 4a59b6b..8772b2a 100644 --- a/content/plugin/npobject_proxy.cc +++ b/content/plugin/npobject_proxy.cc @@ -68,11 +68,14 @@ NPObjectProxy::NPObjectProxy( NPObjectProxy::~NPObjectProxy() { if (channel_.get()) { + // This NPObjectProxy instance is now invalid and should not be reused for + // requests initiated by plugins. We may receive requests for the + // same NPObject in the context of the outgoing NPObjectMsg_Release call. + // We should be creating new NPObjectProxy instances to wrap these + // NPObjects. + channel_->RemoveMappingForNPObjectProxy(route_id_); + channel_->RemoveRoute(route_id_); Send(new NPObjectMsg_Release(route_id_)); - if (channel_.get()) { - channel_->RemoveRoute(route_id_); - channel_->RemoveMappingForNPObjectProxy(route_id_); - } } } |