summaryrefslogtreecommitdiffstats
path: root/webkit/plugins/ppapi
diff options
context:
space:
mode:
authorbrettw@chromium.org <brettw@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-04-18 20:51:18 +0000
committerbrettw@chromium.org <brettw@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-04-18 20:51:18 +0000
commit3502a996955e749fa48f202ee27a63fbda528c03 (patch)
tree68f02d46f25c94cc4efee9116c84c69e5da59a57 /webkit/plugins/ppapi
parent88ddb358c1ccf049220487925ea9831e5f8ea452 (diff)
downloadchromium_src-3502a996955e749fa48f202ee27a63fbda528c03.zip
chromium_src-3502a996955e749fa48f202ee27a63fbda528c03.tar.gz
chromium_src-3502a996955e749fa48f202ee27a63fbda528c03.tar.bz2
Keep the module in scope when executing scripts. This prevents a crash when the
script deletes the plugin object synchronously. This in turn deletes the dispatcher which will make the code returning the out param and exception to the plugin crash. To prevent the crash, this patch adds a way for the proxy to manipulate the refcount of the plugin object so that it's still alive when as long as the scripting message is being processed. A manual test is included. This is not automatically run now. I tried to fit it into the current test infrastructure and found it very challenging, We need to revisit this to allow custom tests to more easily be written. TEST=manual with included plugin and html BUG=none Review URL: http://codereview.chromium.org/6881012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81993 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/plugins/ppapi')
-rw-r--r--webkit/plugins/ppapi/ppapi_plugin_instance.cc2
-rw-r--r--webkit/plugins/ppapi/ppb_proxy_impl.cc16
2 files changed, 17 insertions, 1 deletions
diff --git a/webkit/plugins/ppapi/ppapi_plugin_instance.cc b/webkit/plugins/ppapi/ppapi_plugin_instance.cc
index cd2d59f..78df75b 100644
--- a/webkit/plugins/ppapi/ppapi_plugin_instance.cc
+++ b/webkit/plugins/ppapi/ppapi_plugin_instance.cc
@@ -664,6 +664,8 @@ PP_Var PluginInstance::ExecuteScript(PP_Var script, PP_Var* exception) {
NPVariant result;
bool ok = WebBindings::evaluate(NULL, frame->windowObject(), &np_script,
&result);
+ // DANGER! |this| could be deleted at this point if the script removed the
+ // plugin from the DOM.
if (!ok) {
// TODO(brettw) bug 54011: The TryCatch isn't working properly and
// doesn't actually catch this exception.
diff --git a/webkit/plugins/ppapi/ppb_proxy_impl.cc b/webkit/plugins/ppapi/ppb_proxy_impl.cc
index 9c69891..fc861af 100644
--- a/webkit/plugins/ppapi/ppb_proxy_impl.cc
+++ b/webkit/plugins/ppapi/ppb_proxy_impl.cc
@@ -44,11 +44,25 @@ int32_t GetURLLoaderBufferedBytes(PP_Resource url_loader) {
return loader->buffer_size();
}
+void AddRefModule(PP_Module module) {
+ PluginModule* plugin_module = ResourceTracker::Get()->GetModule(module);
+ if (plugin_module)
+ plugin_module->AddRef();
+}
+
+void ReleaseModule(PP_Module module) {
+ PluginModule* plugin_module = ResourceTracker::Get()->GetModule(module);
+ if (plugin_module)
+ plugin_module->Release();
+}
+
const PPB_Proxy_Private ppb_proxy = {
&PluginCrashed,
&GetInstanceForResource,
&SetReserveInstanceIDCallback,
- &GetURLLoaderBufferedBytes
+ &GetURLLoaderBufferedBytes,
+ &AddRefModule,
+ &ReleaseModule
};
} // namespace