diff options
| -rw-r--r-- | ppapi/proxy/host_dispatcher.cc | 2 | ||||
| -rw-r--r-- | ppapi/proxy/plugin_resource_tracker.cc | 13 | ||||
| -rw-r--r-- | ppapi/proxy/ppb_flash_proxy.cc | 5 |
3 files changed, 12 insertions, 8 deletions
diff --git a/ppapi/proxy/host_dispatcher.cc b/ppapi/proxy/host_dispatcher.cc index ebcfb12..d9fcc36 100644 --- a/ppapi/proxy/host_dispatcher.cc +++ b/ppapi/proxy/host_dispatcher.cc @@ -160,7 +160,7 @@ bool HostDispatcher::OnMessageReceived(const IPC::Message& msg) { if (Dispatcher::OnMessageReceived(msg)) return true; - if (msg.routing_id() <= 0 && msg.routing_id() >= INTERFACE_ID_COUNT) { + if (msg.routing_id() <= 0 || msg.routing_id() >= INTERFACE_ID_COUNT) { NOTREACHED(); // TODO(brettw): kill the plugin if it starts sending invalid messages? return true; diff --git a/ppapi/proxy/plugin_resource_tracker.cc b/ppapi/proxy/plugin_resource_tracker.cc index 202fef3..e499bfa 100644 --- a/ppapi/proxy/plugin_resource_tracker.cc +++ b/ppapi/proxy/plugin_resource_tracker.cc @@ -161,13 +161,12 @@ void PluginResourceTracker::ReleasePluginResourceRef( resource_map_.erase(found); plugin_resource.reset(); - if (notify_browser_on_release) { - if (dispatcher) { - dispatcher->Send(new PpapiHostMsg_PPBCore_ReleaseResource( - INTERFACE_ID_PPB_CORE, host_resource)); - } else { - NOTREACHED(); - } + // dispatcher can be NULL if the plugin held on to a resource after the + // instance was destroyed. In that case the browser-side resource has + // already been freed correctly on the browser side. + if (notify_browser_on_release && dispatcher) { + dispatcher->Send(new PpapiHostMsg_PPBCore_ReleaseResource( + INTERFACE_ID_PPB_CORE, host_resource)); } } } diff --git a/ppapi/proxy/ppb_flash_proxy.cc b/ppapi/proxy/ppb_flash_proxy.cc index 27c83ba..c430b05 100644 --- a/ppapi/proxy/ppb_flash_proxy.cc +++ b/ppapi/proxy/ppb_flash_proxy.cc @@ -196,6 +196,11 @@ const InterfaceProxy::Info* PPB_Flash_Proxy::GetInfo() { } bool PPB_Flash_Proxy::OnMessageReceived(const IPC::Message& msg) { + // Prevent the dispatcher from going away during a call to Navigate. + // This must happen OUTSIDE of OnMsgNavigate since the handling code use + // the dispatcher upon return of the function (sending the reply message). + ScopedModuleReference death_grip(dispatcher()); + bool handled = true; IPC_BEGIN_MESSAGE_MAP(PPB_Flash_Proxy, msg) IPC_MESSAGE_HANDLER(PpapiHostMsg_PPBFlash_SetInstanceAlwaysOnTop, |