diff options
| -rw-r--r-- | content/plugin/npobject_stub.cc | 9 | ||||
| -rw-r--r-- | content/plugin/npobject_stub.h | 12 | ||||
| -rw-r--r-- | content/renderer/webplugin_delegate_proxy.cc | 13 |
3 files changed, 16 insertions, 18 deletions
diff --git a/content/plugin/npobject_stub.cc b/content/plugin/npobject_stub.cc index 79aae70..b3e1441 100644 --- a/content/plugin/npobject_stub.cc +++ b/content/plugin/npobject_stub.cc @@ -39,7 +39,7 @@ NPObjectStub::~NPObjectStub() { CHECK(!npobject_); } -void NPObjectStub::DeleteSoon(bool release_npobject) { +void NPObjectStub::DeleteSoon() { if (npobject_) { channel_->RemoveMappingForNPObjectStub(route_id_, npobject_); @@ -49,8 +49,7 @@ void NPObjectStub::DeleteSoon(bool release_npobject) { NPObject* npobject = npobject_; npobject_ = NULL; - if (release_npobject) - WebBindings::releaseObject(npobject); + WebBindings::releaseObject(npobject); MessageLoop::current()->DeleteSoon(FROM_HERE, this); } @@ -102,12 +101,12 @@ bool NPObjectStub::OnMessageReceived(const IPC::Message& msg) { } void NPObjectStub::OnChannelError() { - DeleteSoon(true); + DeleteSoon(); } void NPObjectStub::OnRelease(IPC::Message* reply_msg) { Send(reply_msg); - DeleteSoon(true); + DeleteSoon(); } void NPObjectStub::OnHasMethod(const NPIdentifier_Param& name, diff --git a/content/plugin/npobject_stub.h b/content/plugin/npobject_stub.h index 3584cfe..d48fa09 100644 --- a/content/plugin/npobject_stub.h +++ b/content/plugin/npobject_stub.h @@ -38,13 +38,11 @@ class NPObjectStub : public IPC::Channel::Listener, const GURL& page_url); virtual ~NPObjectStub(); - // Cause the stub to ignore any further IPC messages, and to tear itself down - // the next time control returns to the message loop. - // The NPObject will be released only if |release_npobject| is true. - // This is used for the window script object stub in the renderer, which is - // freed with NPN_DeallocateObject to avoid leaks, and so we must not try to - // release it. - void DeleteSoon(bool release_npobject); + // Schedules tear-down of this stub. The underlying NPObject reference is + // released, and further invokations form the IPC channel will fail once this + // call has returned. Deletion of the stub is deferred to the main loop, in + // case it is touched as the stack unwinds. + void DeleteSoon(); // IPC::Message::Sender implementation: virtual bool Send(IPC::Message* msg); diff --git a/content/renderer/webplugin_delegate_proxy.cc b/content/renderer/webplugin_delegate_proxy.cc index 8ffd930..e26129b 100644 --- a/content/renderer/webplugin_delegate_proxy.cc +++ b/content/renderer/webplugin_delegate_proxy.cc @@ -219,12 +219,13 @@ void WebPluginDelegateProxy::PluginDestroyed() { } if (window_script_object_) { - // The ScriptController deallocates this object independent of its ref count - // to avoid leaks if the plugin forgets to release it. So mark the object - // invalid to avoid accessing it past this point. Note: only do this after - // the DestroyInstance message in case the window object is scripted by the - // plugin in NPP_Destroy. - window_script_object_->DeleteSoon(false); + // Release the window script object, if the plugin didn't already. + // If we don't do this then it will linger until the last plugin instance is + // destroyed. In the meantime, though, the frame that it refers to may have + // been destroyed by WebKit, at which point WebKit will forcibly deallocate + // the window script object. The window script object stub is unique to the + // plugin instance, so this won't affect other instances. + window_script_object_->DeleteSoon(); } plugin_ = NULL; |