Ensure that PP_Instance values are unique within a plugin process in addition

to within the renderer.

This works by having the renderer check with the plugin that a PP_Instance is
available before using it. If it's already seen, the renderer will generate a
new PP_Instance and retry.

For performance, this message is handled on the I/O thread of the plugin so it
will not be blocked by the actual plugin code.

This requires an unfortunate amount of plumbing. Since the renderer can't
depend directly on the proxy, we have a new PPB_Proxy function to set the
verification function used to perform this check.

There is also a new plugin dispatcher delegate where I moved some of the global
state to that used to go into the init function. Adding yet another parameter
there seemed unfortunate.

TEST=manual
BUG=74961
Review URL: http://codereview.chromium.org/6628019

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@77693 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 42 insertions, 3 deletions

diff --git a/webkit/plugins/ppapi/plugin_module.cc b/webkit/plugins/ppapi/plugin_module.cc
index 6c670f9..0ea2859 100644
--- a/webkit/plugins/ppapi/plugin_module.cc
+++ b/webkit/plugins/ppapi/plugin_module.cc
@@ -382,7 +382,8 @@ PluginModule::PluginModule(const std::string& name,
       callback_tracker_(new CallbackTracker),
       is_crashed_(false),
       library_(NULL),
-      name_(name) {
+      name_(name),
+      reserve_instance_id_(NULL) {
   pp_module_ = ResourceTracker::Get()->AddModule(this);
   GetMainThreadMessageLoop();  // Initialize the main thread message loop.
   GetLivePluginSet()->insert(this);
@@ -505,6 +506,18 @@ void PluginModule::PluginCrashed() {
   lifetime_delegate_->PluginModuleDead(this);
 }
 
+void PluginModule::SetReserveInstanceIDCallback(
+    PP_Bool (*reserve)(PP_Module, PP_Instance)) {
+  DCHECK(!reserve_instance_id_) << "Only expect one set.";
+  reserve_instance_id_ = reserve;
+}
+
+bool PluginModule::ReserveInstanceID(PP_Instance instance) {
+  if (reserve_instance_id_)
+    return PPBoolToBool(reserve_instance_id_(pp_module_, instance));
+  return true;  // Instance ID is usable.
+}
+
 bool PluginModule::InitializeModule() {
   DCHECK(!out_of_process_proxy_.get()) << "Don't call for proxied modules.";
   int retval = entry_points_.initialize_module(pp_module(), &GetInterface);
diff --git a/webkit/plugins/ppapi/plugin_module.h b/webkit/plugins/ppapi/plugin_module.h
index 39aa878..45545c9 100644
--- a/webkit/plugins/ppapi/plugin_module.h
+++ b/webkit/plugins/ppapi/plugin_module.h
@@ -15,6 +15,8 @@
 #include "base/ref_counted.h"
 #include "base/scoped_ptr.h"
 #include "base/weak_ptr.h"
+#include "ppapi/c/pp_bool.h"
+#include "ppapi/c/pp_instance.h"
 #include "ppapi/c/pp_module.h"
 #include "ppapi/c/ppb.h"
 #include "webkit/plugins/ppapi/plugin_delegate.h"
@@ -126,6 +128,18 @@ class PluginModule : public base::RefCounted<PluginModule>,
   // release relevant resources and update all affected instances.
   void PluginCrashed();
 
+  // Reserves the given instance is unique within the plugin, checking for
+  // collisions. See PPB_Proxy_Private for more information.
+  //
+  // The setter will set the callback which is set up when the proxy
+  // initializes. The Reserve function will call the previously set callback if
+  // it exists to validate the ID. If the callback has not been set (such as
+  // for in-process plugins), the Reserve function will assume that the ID is
+  // usable and will return true.
+  void SetReserveInstanceIDCallback(
+      PP_Bool (*reserve)(PP_Module, PP_Instance));
+  bool ReserveInstanceID(PP_Instance instance);
+
  private:
   // Calls the InitializeModule entrypoint. The entrypoint must have been
   // set and the plugin must not be out of process (we don't maintain
@@ -167,6 +181,8 @@ class PluginModule : public base::RefCounted<PluginModule>,
   typedef std::set<PluginInstance*> PluginInstanceSet;
   PluginInstanceSet instances_;
 
+  PP_Bool (*reserve_instance_id_)(PP_Module, PP_Instance);
+
   DISALLOW_COPY_AND_ASSIGN(PluginModule);
 };
 
diff --git a/webkit/plugins/ppapi/ppb_proxy_impl.cc b/webkit/plugins/ppapi/ppb_proxy_impl.cc
index 540835e..f82ec46 100644
--- a/webkit/plugins/ppapi/ppb_proxy_impl.cc
+++ b/webkit/plugins/ppapi/ppb_proxy_impl.cc
@@ -28,9 +28,17 @@ PP_Instance GetInstanceForResource(PP_Resource resource) {
   return obj->instance()->pp_instance();
 }
 
+void SetReserveInstanceIDCallback(PP_Module module,
+                                  PP_Bool (*reserve)(PP_Module, PP_Instance)) {
+  PluginModule* plugin_module = ResourceTracker::Get()->GetModule(module);
+  if (plugin_module)
+    plugin_module->SetReserveInstanceIDCallback(reserve);
+}
+
 const PPB_Proxy_Private ppb_proxy = {
   &PluginCrashed,
-  &GetInstanceForResource
+  &GetInstanceForResource,
+  &SetReserveInstanceIDCallback
 };
 
 }  // namespace
diff --git a/webkit/plugins/ppapi/resource_tracker.cc b/webkit/plugins/ppapi/resource_tracker.cc
index b17210c..79a0125 100644
--- a/webkit/plugins/ppapi/resource_tracker.cc
+++ b/webkit/plugins/ppapi/resource_tracker.cc
@@ -12,6 +12,7 @@
 #include "base/rand_util.h"
 #include "ppapi/c/pp_resource.h"
 #include "ppapi/c/pp_var.h"
+#include "webkit/plugins/ppapi/plugin_module.h"
 #include "webkit/plugins/ppapi/ppapi_plugin_instance.h"
 #include "webkit/plugins/ppapi/resource.h"
 #include "webkit/plugins/ppapi/var.h"
@@ -279,7 +280,8 @@ PP_Instance ResourceTracker::AddInstance(PluginInstance* instance) {
     new_instance = MakeTypedId(static_cast<PP_Instance>(base::RandUint64()),
                                PP_ID_TYPE_INSTANCE);
   } while (!new_instance ||
-           instance_map_.find(new_instance) != instance_map_.end());
+           instance_map_.find(new_instance) != instance_map_.end() ||
+           !instance->module()->ReserveInstanceID(new_instance));
 
   instance_map_[new_instance].instance = instance;
   return new_instance;