diff options
| author | brettw@chromium.org <brettw@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-11 04:17:06 +0000 |
|---|---|---|
| committer | brettw@chromium.org <brettw@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-10-11 04:17:06 +0000 |
| commit | e39690735bac27e261e00ad237d734827cf1e3c7 (patch) | |
| tree | 7848d50c2ef186e8d1d99a29a50e06e98889a40a /ppapi/proxy/host_dispatcher.cc | |
| parent | 6fdefb06df4668407059c7dd4cfeaf1ff842b8eb (diff) | |
| download | chromium_src-e39690735bac27e261e00ad237d734827cf1e3c7.zip chromium_src-e39690735bac27e261e00ad237d734827cf1e3c7.tar.gz chromium_src-e39690735bac27e261e00ad237d734827cf1e3c7.tar.bz2 | |
Prevent reentrant destructors in the PluginModule.
This makes us not hold a ref to the PluginModule during sending async messages.
Previously we would cancel callbacks in the PluginModule destructor and this
would change the ref count from 0 to 1, and then back to 0, calling reentrantly
into the destructor again.
Not holding a ref during async messages prevent this problem. I also added
some checking to detect sync messages during shutdown, and also reentrant
destructors should this happen again.
BUG = http://crosbug.com/21258, http://crbug.com/99398
Review URL: http://codereview.chromium.org/8222021
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@104847 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'ppapi/proxy/host_dispatcher.cc')
| -rw-r--r-- | ppapi/proxy/host_dispatcher.cc | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/ppapi/proxy/host_dispatcher.cc b/ppapi/proxy/host_dispatcher.cc index 91a3759..1205189 100644 --- a/ppapi/proxy/host_dispatcher.cc +++ b/ppapi/proxy/host_dispatcher.cc @@ -134,21 +134,33 @@ bool HostDispatcher::Send(IPC::Message* msg) { TRACE_EVENT2("ppapi proxy", "HostDispatcher::Send", "Class", IPC_MESSAGE_ID_CLASS(msg->type()), "Line", IPC_MESSAGE_ID_LINE(msg->type())); - // Prevent the dispatcher from going away during the call. Scenarios - // where this could happen include a Send for a sync message which while - // waiting for the reply, dispatches an incoming ExecuteScript call which - // destroys the plugin module and in turn the dispatcher. - ScopedModuleReference ref(this); // Normal sync messages are set to unblock, which would normally cause the // plugin to be reentered to process them. We only want to do this when we // know the plugin is in a state to accept reentrancy. Since the plugin side // never clears this flag on messages it sends, we can't get deadlock, but we // may still get reentrancy in the host as a result. - if (!allow_plugin_reentrancy_) msg->set_unblock(false); - return Dispatcher::Send(msg); + + if (msg->is_sync()) { + // Don't allow sending sync messages during module shutdown. Seee the "else" + // block below for why. + CHECK(!PP_ToBool(ppb_proxy()->IsInModuleDestructor(pp_module()))); + + // Prevent the dispatcher from going away during sync calls. Scenarios + // where this could happen include a Send for a sync message which while + // waiting for the reply, dispatches an incoming ExecuteScript call which + // destroys the plugin module and in turn the dispatcher. + ScopedModuleReference scoped_ref(this); + return Dispatcher::Send(msg); + } else { + // We don't want to have a scoped ref for async message cases since since + // async messages are sent during module desruction. In this case, the + // module will have a 0 refcount and addrefing and releasing it will + // reenter the destructor and it will crash. + return Dispatcher::Send(msg); + } } bool HostDispatcher::OnMessageReceived(const IPC::Message& msg) { |