diff options
author | brettw@chromium.org <brettw@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-18 20:51:18 +0000 |
---|---|---|
committer | brettw@chromium.org <brettw@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-04-18 20:51:18 +0000 |
commit | 3502a996955e749fa48f202ee27a63fbda528c03 (patch) | |
tree | 68f02d46f25c94cc4efee9116c84c69e5da59a57 /webkit | |
parent | 88ddb358c1ccf049220487925ea9831e5f8ea452 (diff) | |
download | chromium_src-3502a996955e749fa48f202ee27a63fbda528c03.zip chromium_src-3502a996955e749fa48f202ee27a63fbda528c03.tar.gz chromium_src-3502a996955e749fa48f202ee27a63fbda528c03.tar.bz2 |
Keep the module in scope when executing scripts. This prevents a crash when the
script deletes the plugin object synchronously. This in turn deletes the
dispatcher which will make the code returning the out param and exception to
the plugin crash.
To prevent the crash, this patch adds a way for the proxy to manipulate the
refcount of the plugin object so that it's still alive when as long as the
scripting message is being processed.
A manual test is included. This is not automatically run now. I tried to fit it
into the current test infrastructure and found it very challenging, We need to
revisit this to allow custom tests to more easily be written.
TEST=manual with included plugin and html
BUG=none
Review URL: http://codereview.chromium.org/6881012
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81993 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
-rw-r--r-- | webkit/plugins/ppapi/ppapi_plugin_instance.cc | 2 | ||||
-rw-r--r-- | webkit/plugins/ppapi/ppb_proxy_impl.cc | 16 |
2 files changed, 17 insertions, 1 deletions
diff --git a/webkit/plugins/ppapi/ppapi_plugin_instance.cc b/webkit/plugins/ppapi/ppapi_plugin_instance.cc index cd2d59f..78df75b 100644 --- a/webkit/plugins/ppapi/ppapi_plugin_instance.cc +++ b/webkit/plugins/ppapi/ppapi_plugin_instance.cc @@ -664,6 +664,8 @@ PP_Var PluginInstance::ExecuteScript(PP_Var script, PP_Var* exception) { NPVariant result; bool ok = WebBindings::evaluate(NULL, frame->windowObject(), &np_script, &result); + // DANGER! |this| could be deleted at this point if the script removed the + // plugin from the DOM. if (!ok) { // TODO(brettw) bug 54011: The TryCatch isn't working properly and // doesn't actually catch this exception. diff --git a/webkit/plugins/ppapi/ppb_proxy_impl.cc b/webkit/plugins/ppapi/ppb_proxy_impl.cc index 9c69891..fc861af 100644 --- a/webkit/plugins/ppapi/ppb_proxy_impl.cc +++ b/webkit/plugins/ppapi/ppb_proxy_impl.cc @@ -44,11 +44,25 @@ int32_t GetURLLoaderBufferedBytes(PP_Resource url_loader) { return loader->buffer_size(); } +void AddRefModule(PP_Module module) { + PluginModule* plugin_module = ResourceTracker::Get()->GetModule(module); + if (plugin_module) + plugin_module->AddRef(); +} + +void ReleaseModule(PP_Module module) { + PluginModule* plugin_module = ResourceTracker::Get()->GetModule(module); + if (plugin_module) + plugin_module->Release(); +} + const PPB_Proxy_Private ppb_proxy = { &PluginCrashed, &GetInstanceForResource, &SetReserveInstanceIDCallback, - &GetURLLoaderBufferedBytes + &GetURLLoaderBufferedBytes, + &AddRefModule, + &ReleaseModule }; } // namespace |