Track NPObject ownership by the originating plugins' NPP identifier. [2/3] (Chrome)

This CL updates Chrome to return plugin NPP identifiers for NPAPI, PPAPI and browser plugins, and to make the necessary calls into Blink to support object ownership tracking.

This CL requires Blink CL crrev.com/14989014, and is itself required by Blink CL crrev.com/14019005.

BUG=152006

Review URL: https://chromiumcodereview.appspot.com/15007012

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@202364 0039d316-1c4b-4281-b951-d872f2087c98

11 files changed, 78 insertions, 12 deletions

diff --git a/webkit/plugins/npapi/webplugin_delegate.h b/webkit/plugins/npapi/webplugin_delegate.h
index 43a3955..9f7fe0e 100644
--- a/webkit/plugins/npapi/webplugin_delegate.h
+++ b/webkit/plugins/npapi/webplugin_delegate.h
@@ -83,6 +83,9 @@ class WEBKIT_PLUGINS_EXPORT WebPluginDelegate {
   // Gets the NPObject associated with the plugin for scripting.
   virtual NPObject* GetPluginScriptableObject() = 0;
 
+  // Gets the NPP instance uniquely identifying the plugin for its lifetime.
+  virtual struct _NPP* GetPluginNPP() = 0;
+
   // Gets the form value associated with the plugin instance.
   // Returns false if the value is not available.
   virtual bool GetFormValue(base::string16* value) = 0;
diff --git a/webkit/plugins/npapi/webplugin_delegate_impl.cc b/webkit/plugins/npapi/webplugin_delegate_impl.cc
index 3c2587e9..831de3d 100644
--- a/webkit/plugins/npapi/webplugin_delegate_impl.cc
+++ b/webkit/plugins/npapi/webplugin_delegate_impl.cc
@@ -186,6 +186,10 @@ NPObject* WebPluginDelegateImpl::GetPluginScriptableObject() {
   return instance_->GetPluginScriptableObject();
 }
 
+NPP WebPluginDelegateImpl::GetPluginNPP() {
+  return instance_->npp();
+}
+
 bool WebPluginDelegateImpl::GetFormValue(base::string16* value) {
   return instance_->GetFormValue(value);
 }
diff --git a/webkit/plugins/npapi/webplugin_delegate_impl.h b/webkit/plugins/npapi/webplugin_delegate_impl.h
index 6755891..0101de7 100644
--- a/webkit/plugins/npapi/webplugin_delegate_impl.h
+++ b/webkit/plugins/npapi/webplugin_delegate_impl.h
@@ -112,6 +112,7 @@ class WEBKIT_PLUGINS_EXPORT WebPluginDelegateImpl : public WebPluginDelegate {
   virtual bool HandleInputEvent(const WebKit::WebInputEvent& event,
                                 WebCursor::CursorInfo* cursor_info) OVERRIDE;
   virtual NPObject* GetPluginScriptableObject() OVERRIDE;
+  virtual NPP GetPluginNPP() OVERRIDE;
   virtual bool GetFormValue(base::string16* value) OVERRIDE;
   virtual void DidFinishLoadWithReason(const GURL& url,
                                        NPReason reason,
diff --git a/webkit/plugins/npapi/webplugin_impl.cc b/webkit/plugins/npapi/webplugin_impl.cc
index 801ca91..e86f3d1 100644
--- a/webkit/plugins/npapi/webplugin_impl.cc
+++ b/webkit/plugins/npapi/webplugin_impl.cc
@@ -243,10 +243,15 @@ bool WebPluginImpl::initialize(WebPluginContainer* container) {
   if (!plugin_delegate)
     return false;
 
+  // Store the plugin's unique identifier, used by the container to track its
+  // script objects.
+  npp_ = plugin_delegate->GetPluginNPP();
+
   // Set the container before Initialize because the plugin may
-  // synchronously call NPN_GetValue to get its container during its
-  // initialization.
+  // synchronously call NPN_GetValue to get its container, or make calls
+  // passing script objects that need to be tracked, during initialization.
   SetContainer(container);
+
   bool ok = plugin_delegate->Initialize(
       plugin_url_, arg_names_, arg_values_, this, load_manually_);
   if (!ok) {
@@ -280,6 +285,10 @@ NPObject* WebPluginImpl::scriptableObject() {
   return delegate_->GetPluginScriptableObject();
 }
 
+NPP WebPluginImpl::pluginNPP() {
+  return npp_;
+}
+
 bool WebPluginImpl::getFormValue(WebKit::WebString& value) {
   if (!delegate_)
     return false;
@@ -484,6 +493,7 @@ WebPluginImpl::WebPluginImpl(
       webframe_(webframe),
       delegate_(NULL),
       container_(NULL),
+      npp_(NULL),
       plugin_url_(params.url),
       load_manually_(params.loadManually),
       first_geometry_update_(true),
@@ -1055,6 +1065,8 @@ void WebPluginImpl::SetContainer(WebPluginContainer* container) {
   if (!container)
     TearDownPluginInstance(NULL);
   container_ = container;
+  if (container_)
+    container_->allowScriptObjects();
 }
 
 void WebPluginImpl::HandleURLRequest(const char* url,
@@ -1333,19 +1345,32 @@ bool WebPluginImpl::ReinitializePluginForResponse(
 
 void WebPluginImpl::TearDownPluginInstance(
     WebURLLoader* loader_to_ignore) {
-  // The container maintains a list of JSObjects which are related to this
-  // plugin.  Tell the frame we're gone so that it can invalidate all of
-  // those sub JSObjects.
+  // JavaScript garbage collection may cause plugin script object references to
+  // be retained long after the plugin is destroyed. Some plugins won't cope
+  // with their objects being released after they've been destroyed, and once
+  // we've actually unloaded the plugin the object's releaseobject() code may
+  // no longer be in memory. The container tracks the plugin's objects and lets
+  // us invalidate them, releasing the references to them held by the JavaScript
+  // runtime.
   if (container_) {
     container_->clearScriptObjects();
     container_->setWebLayer(NULL);
   }
 
+  // Call PluginDestroyed() first to prevent the plugin from calling us back
+  // in the middle of tearing down the render tree.
   if (delegate_) {
-    // Call PluginDestroyed() first to prevent the plugin from calling us back
-    // in the middle of tearing down the render tree.
+    // The plugin may call into the browser and pass script objects even during
+    // teardown, so temporarily re-enable plugin script objects.
+    DCHECK(container_);
+    container_->allowScriptObjects();
+
     delegate_->PluginDestroyed();
     delegate_ = NULL;
+
+    // Invalidate any script objects created during teardown here, before the
+    // plugin might actually be unloaded.
+    container_->clearScriptObjects();
   }
 
   // Cancel any pending requests because otherwise this deleted object will
diff --git a/webkit/plugins/npapi/webplugin_impl.h b/webkit/plugins/npapi/webplugin_impl.h
index 20917d0..7b6594b 100644
--- a/webkit/plugins/npapi/webplugin_impl.h
+++ b/webkit/plugins/npapi/webplugin_impl.h
@@ -75,6 +75,7 @@ class WEBKIT_PLUGINS_EXPORT WebPluginImpl :
       WebKit::WebPluginContainer* container);
   virtual void destroy();
   virtual NPObject* scriptableObject();
+  virtual struct _NPP* pluginNPP();
   virtual bool getFormValue(WebKit::WebString& value);
   virtual void paint(
       WebKit::WebCanvas* canvas, const WebKit::WebRect& paint_rect);
@@ -292,6 +293,9 @@ class WEBKIT_PLUGINS_EXPORT WebPluginImpl :
   // This is just a weak reference.
   WebKit::WebPluginContainer* container_;
 
+  // Unique identifier for this plugin, used to track script objects.
+  struct _NPP* npp_;
+
   typedef std::map<WebPluginResourceClient*,
                    webkit_glue::MultipartResponseDelegate*>
       MultiPartResponseHandlerMap;
diff --git a/webkit/plugins/ppapi/message_channel.cc b/webkit/plugins/ppapi/message_channel.cc
index e0e0a39..bbb3eb2 100644
--- a/webkit/plugins/ppapi/message_channel.cc
+++ b/webkit/plugins/ppapi/message_channel.cc
@@ -324,7 +324,8 @@ MessageChannel::MessageChannel(PluginInstance* instance)
       early_message_queue_state_(QUEUE_MESSAGES) {
   // Now create an NPObject for receiving calls to postMessage. This sets the
   // reference count to 1.  We release it in the destructor.
-  NPObject* obj = WebBindings::createObject(NULL, &message_channel_class);
+  NPObject* obj = WebBindings::createObject(instance_->instanceNPP(),
+                                            &message_channel_class);
   DCHECK(obj);
   np_object_ = static_cast<MessageChannel::MessageChannelNPObject*>(obj);
   np_object_->message_channel = weak_ptr_factory_.GetWeakPtr();
diff --git a/webkit/plugins/ppapi/plugin_object.cc b/webkit/plugins/ppapi/plugin_object.cc
index a5ef5fe..9b6a130 100644
--- a/webkit/plugins/ppapi/plugin_object.cc
+++ b/webkit/plugins/ppapi/plugin_object.cc
@@ -298,7 +298,8 @@ PP_Var PluginObject::Create(PluginInstance* instance,
   // WrapperClass_Allocated function which will have created an object wrapper
   // appropriate for this class (derived from NPObject).
   NPObjectWrapper* wrapper = static_cast<NPObjectWrapper*>(
-      WebBindings::createObject(NULL, const_cast<NPClass*>(&wrapper_class)));
+      WebBindings::createObject(instance->instanceNPP(),
+      const_cast<NPClass*>(&wrapper_class)));
 
   // This object will register itself both with the NPObject and with the
   // PluginModule. The NPObject will normally handle its lifetime, and it
diff --git a/webkit/plugins/ppapi/ppapi_plugin_instance.cc b/webkit/plugins/ppapi/ppapi_plugin_instance.cc
index 9368e29..4f7f050 100644
--- a/webkit/plugins/ppapi/ppapi_plugin_instance.cc
+++ b/webkit/plugins/ppapi/ppapi_plugin_instance.cc
@@ -437,17 +437,16 @@ PluginInstance::PluginInstance(
       selection_anchor_(0),
       pending_user_gesture_(0.0),
       document_loader_(NULL),
-      nacl_document_load_(false) {
+      nacl_document_load_(false),
+      npp_(new NPP_t) {
   pp_instance_ = HostGlobals::Get()->AddInstance(this);
 
   memset(&current_print_settings_, 0, sizeof(current_print_settings_));
   DCHECK(delegate);
   module_->InstanceCreated(this);
   delegate_->InstanceCreated(this);
-  message_channel_.reset(new MessageChannel(this));
 
   view_data_.is_page_visible = delegate->IsPageVisible();
-
   resource_creation_ = delegate_->CreateResourceCreationAPI(this);
 
   // TODO(bbudge) remove this when the trusted NaCl plugin has been removed.
@@ -634,6 +633,8 @@ static void SetGPUHistogram(const ::ppapi::Preferences& prefs,
 bool PluginInstance::Initialize(const std::vector<std::string>& arg_names,
                                 const std::vector<std::string>& arg_values,
                                 bool full_frame) {
+  message_channel_.reset(new MessageChannel(this));
+
   full_frame_ = full_frame;
 
   UpdateTouchEventRequest();
@@ -2545,6 +2546,10 @@ bool PluginInstance::IsValidInstanceOf(PluginModule* module) {
          module == original_module_.get();
 }
 
+NPP PluginInstance::instanceNPP() {
+  return npp_.get();
+}
+
 void PluginInstance::DoSetCursor(WebCursorInfo* cursor) {
   cursor_.reset(cursor);
   if (fullscreen_container_) {
diff --git a/webkit/plugins/ppapi/ppapi_plugin_instance.h b/webkit/plugins/ppapi/ppapi_plugin_instance.h
index 07f3657..3053a8a 100644
--- a/webkit/plugins/ppapi/ppapi_plugin_instance.h
+++ b/webkit/plugins/ppapi/ppapi_plugin_instance.h
@@ -58,6 +58,7 @@
 #include "webkit/plugins/webkit_plugins_export.h"
 
 struct PP_Point;
+struct _NPP;
 
 class SkBitmap;
 class TransportDIB;
@@ -502,6 +503,10 @@ class WEBKIT_PLUGINS_EXPORT PluginInstance :
   // the given module.
   bool IsValidInstanceOf(PluginModule* module);
 
+  // Returns the plugin NPP identifier that this plugin will use to identify
+  // itself when making NPObject scripting calls to WebBindings.
+  struct _NPP* instanceNPP();
+
  private:
   friend class PpapiUnittest;
 
@@ -834,6 +839,10 @@ class WEBKIT_PLUGINS_EXPORT PluginInstance :
   // calls and handles PPB_ContentDecryptor_Private calls.
   scoped_ptr<ContentDecryptorDelegate> content_decryptor_delegate_;
 
+  // Dummy NPP value used when calling in to WebBindings, to allow the bindings
+  // to correctly track NPObjects belonging to this plugin instance.
+  scoped_ptr<struct _NPP> npp_;
+
   friend class PpapiPluginInstanceTest;
   DISALLOW_COPY_AND_ASSIGN(PluginInstance);
 };
diff --git a/webkit/plugins/ppapi/ppapi_webplugin_impl.cc b/webkit/plugins/ppapi/ppapi_webplugin_impl.cc
index 30820fb..4ce9527 100644
--- a/webkit/plugins/ppapi/ppapi_webplugin_impl.cc
+++ b/webkit/plugins/ppapi/ppapi_webplugin_impl.cc
@@ -93,6 +93,9 @@ bool WebPluginImpl::initialize(WebPluginContainer* container) {
   if (!instance_)
     return false;
 
+  // Enable script objects for this plugin.
+  container->allowScriptObjects();
+
   bool success = instance_->Initialize(init_data_->arg_names,
                                        init_data_->arg_values,
                                        full_frame_);
@@ -116,6 +119,9 @@ bool WebPluginImpl::initialize(WebPluginContainer* container) {
 }
 
 void WebPluginImpl::destroy() {
+  // Tell |container_| to clear references to this plugin's script objects.
+  container_->clearScriptObjects();
+
   if (instance_) {
     ::ppapi::PpapiGlobals::Get()->GetVarTracker()->ReleaseVar(instance_object_);
     instance_object_ = PP_MakeUndefined();
@@ -148,6 +154,10 @@ NPObject* WebPluginImpl::scriptableObject() {
   return message_channel_np_object;
 }
 
+NPP WebPluginImpl::pluginNPP() {
+  return instance_->instanceNPP();
+}
+
 bool WebPluginImpl::getFormValue(WebString& value) {
   return false;
 }
diff --git a/webkit/plugins/ppapi/ppapi_webplugin_impl.h b/webkit/plugins/ppapi/ppapi_webplugin_impl.h
index 11bcf89..b8bbffe 100644
--- a/webkit/plugins/ppapi/ppapi_webplugin_impl.h
+++ b/webkit/plugins/ppapi/ppapi_webplugin_impl.h
@@ -16,6 +16,8 @@
 #include "ui/gfx/rect.h"
 #include "webkit/plugins/webkit_plugins_export.h"
 
+struct _NPP;
+
 namespace WebKit {
 struct WebPluginParams;
 struct WebPrintParams;
@@ -43,6 +45,7 @@ class WebPluginImpl : public WebKit::WebPlugin {
   virtual bool initialize(WebKit::WebPluginContainer* container);
   virtual void destroy();
   virtual NPObject* scriptableObject();
+  virtual struct _NPP* pluginNPP();
   virtual bool getFormValue(WebKit::WebString& value);
   virtual void paint(WebKit::WebCanvas* canvas, const WebKit::WebRect& rect);
   virtual void updateGeometry(