diff options
| author | piman@google.com <piman@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-01 18:20:42 +0000 |
|---|---|---|
| committer | piman@google.com <piman@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-01 18:20:42 +0000 |
| commit | 12dbac9439ee29ee20ecca164fee4b5cb35223e2 (patch) | |
| tree | 03d386909a6ad534f56e725d0d2b2b3ae1d190f1 /ppapi | |
| parent | f2d3ce0dc513f6eb62bf9ba530e75aadde27791c (diff) | |
| download | chromium_src-12dbac9439ee29ee20ecca164fee4b5cb35223e2.zip chromium_src-12dbac9439ee29ee20ecca164fee4b5cb35223e2.tar.gz chromium_src-12dbac9439ee29ee20ecca164fee4b5cb35223e2.tar.bz2 | |
Fix resource destruction in proxy
This ensures that the resource on the plugin side is destroyed before we send
the message to the host, so that it has a chance to do proper cleanup.
Also, fix Surface3D destruction that could cause a write-after-free.
BUG=none
TEST=go to youtube with out-of-process pepper flash. click on fullscreen.
observe no hang, no crash
Review URL: http://codereview.chromium.org/6771042
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@80188 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'ppapi')
| -rw-r--r-- | ppapi/proxy/plugin_resource_tracker.cc | 35 | ||||
| -rw-r--r-- | ppapi/proxy/plugin_resource_tracker.h | 5 | ||||
| -rw-r--r-- | ppapi/proxy/ppb_surface_3d_proxy.cc | 5 | ||||
| -rw-r--r-- | ppapi/proxy/ppb_surface_3d_proxy.h | 3 |
4 files changed, 25 insertions, 23 deletions
diff --git a/ppapi/proxy/plugin_resource_tracker.cc b/ppapi/proxy/plugin_resource_tracker.cc index 0c4bdfb..2e9e32a 100644 --- a/ppapi/proxy/plugin_resource_tracker.cc +++ b/ppapi/proxy/plugin_resource_tracker.cc @@ -120,24 +120,25 @@ void PluginResourceTracker::ReleasePluginResourceRef( return; found->second.ref_count--; if (found->second.ref_count == 0) { - PluginResource* plugin_resource = found->second.resource.get(); - if (notify_browser_on_release) - SendReleaseResourceToHost(resource, plugin_resource); - host_resource_map_.erase(plugin_resource->host_resource()); + // Keep a reference while removing in case the destructor ends up + // re-entering. That way, when the destructor is called, it's out of the + // maps. + linked_ptr<PluginResource> plugin_resource = found->second.resource; + PluginDispatcher* dispatcher = + PluginDispatcher::GetForInstance(plugin_resource->instance()); + HostResource host_resource = plugin_resource->host_resource(); + host_resource_map_.erase(host_resource); resource_map_.erase(found); - } -} - -void PluginResourceTracker::SendReleaseResourceToHost( - PP_Resource resource_id, - PluginResource* resource) { - PluginDispatcher* dispatcher = - PluginDispatcher::GetForInstance(resource->instance()); - if (dispatcher) { - dispatcher->Send(new PpapiHostMsg_PPBCore_ReleaseResource( - INTERFACE_ID_PPB_CORE, resource->host_resource())); - } else { - NOTREACHED(); + plugin_resource.reset(); + + if (notify_browser_on_release) { + if (dispatcher) { + dispatcher->Send(new PpapiHostMsg_PPBCore_ReleaseResource( + INTERFACE_ID_PPB_CORE, host_resource)); + } else { + NOTREACHED(); + } + } } } diff --git a/ppapi/proxy/plugin_resource_tracker.h b/ppapi/proxy/plugin_resource_tracker.h index db3634a..f0d25f23 100644 --- a/ppapi/proxy/plugin_resource_tracker.h +++ b/ppapi/proxy/plugin_resource_tracker.h @@ -75,11 +75,6 @@ class PluginResourceTracker { void ReleasePluginResourceRef(const PP_Resource& var, bool notify_browser_on_release); - // Sends a ReleaseResource message to the host corresponding to the given - // resource. - void SendReleaseResourceToHost(PP_Resource resource_id, - PluginResource* resource); - // Map of plugin resource IDs to the information tracking that resource. typedef std::map<PP_Resource, ResourceInfo> ResourceMap; ResourceMap resource_map_; diff --git a/ppapi/proxy/ppb_surface_3d_proxy.cc b/ppapi/proxy/ppb_surface_3d_proxy.cc index fc97c46..856d121 100644 --- a/ppapi/proxy/ppb_surface_3d_proxy.cc +++ b/ppapi/proxy/ppb_surface_3d_proxy.cc @@ -16,6 +16,11 @@ namespace pp { namespace proxy { +Surface3D::~Surface3D() { + if (context_) + context_->BindSurfaces(NULL, NULL); +} + namespace { PP_Resource Create(PP_Instance instance, diff --git a/ppapi/proxy/ppb_surface_3d_proxy.h b/ppapi/proxy/ppb_surface_3d_proxy.h index 70054bd..a805af0 100644 --- a/ppapi/proxy/ppb_surface_3d_proxy.h +++ b/ppapi/proxy/ppb_surface_3d_proxy.h @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -30,6 +30,7 @@ class Surface3D : public PluginResource { context_(NULL), current_flush_callback_(PP_BlockUntilComplete()) { } + virtual ~Surface3D(); // Resource overrides. virtual Surface3D* AsSurface3D() { return this; } |