diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-30 23:12:48 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-09-30 23:12:48 +0000 |
| commit | f982beecb07c83521a148225b116d3bcf60596e5 (patch) | |
| tree | cf4fef350c6df40defb2d843a93876ba31868a3d /webkit/plugins/ppapi/plugin_object.cc | |
| parent | 4a68c9ef3c575519b757581a3c9dca94140eb15c (diff) | |
| download | chromium_src-f982beecb07c83521a148225b116d3bcf60596e5.zip chromium_src-f982beecb07c83521a148225b116d3bcf60596e5.tar.gz chromium_src-f982beecb07c83521a148225b116d3bcf60596e5.tar.bz2 | |
Fix a crash in the renderer process which occurs in the PPAPI host code due to the underlying plugin
object getting destroyed in the context of an incoming ExecuteScript call while the renderer is waiting
for an javascript function call on the plugin object to return.
We need to grab a reference on the plugin module in the dispatcher code and in the plugin object as
there are two crashes which occur here
1. When the dispatcher send is about to return from the Send call and it tries to unmarshal the return
values.
2. The other crash is in the wrapper class Invoke function where we crash similarly.
Fixes bug http://code.google.com/p/flapper/issues/detail?id=77
Review URL: http://codereview.chromium.org/8098001
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@103570 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/plugins/ppapi/plugin_object.cc')
| -rw-r--r-- | webkit/plugins/ppapi/plugin_object.cc | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/webkit/plugins/ppapi/plugin_object.cc b/webkit/plugins/ppapi/plugin_object.cc index 153ce87..7b58456 100644 --- a/webkit/plugins/ppapi/plugin_object.cc +++ b/webkit/plugins/ppapi/plugin_object.cc @@ -77,6 +77,13 @@ bool WrapperClass_Invoke(NPObject* object, NPIdentifier method_name, PPVarArrayFromNPVariantArray args(accessor.object()->instance(), argc, argv); + // For the OOP plugin case we need to grab a reference on the plugin module + // object to ensure that it is not destroyed courtsey an incoming + // ExecuteScript call which destroys the plugin module and in turn the + // dispatcher. + scoped_refptr<webkit::ppapi::PluginModule> ref( + accessor.object()->instance()->module()); + return result_converter.SetResult(accessor.object()->ppp_class()->Call( accessor.object()->ppp_class_data(), accessor.identifier(), argc, args.array(), result_converter.exception())); @@ -91,6 +98,13 @@ bool WrapperClass_InvokeDefault(NPObject* np_object, const NPVariant* argv, PPVarArrayFromNPVariantArray args(obj->instance(), argc, argv); PPResultAndExceptionToNPResult result_converter(obj->GetNPObject(), result); + // For the OOP plugin case we need to grab a reference on the plugin module + // object to ensure that it is not destroyed courtsey an incoming + // ExecuteScript call which destroys the plugin module and in turn the + // dispatcher. + scoped_refptr<webkit::ppapi::PluginModule> ref( + obj->instance()->module()); + result_converter.SetResult(obj->ppp_class()->Call( obj->ppp_class_data(), PP_MakeUndefined(), argc, args.array(), result_converter.exception())); |