| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
other side's address
space. Basically the way this works is if an NPObject is marshaled over to the other side, an
NPObjectStub is created in the caller address space and a NPObjectProxy is created on the other side.
The NPObjectProxy is passed the raw NPObject pointer which is used as a cookie.
If the original NPObject needs to be passed back we pass the underlying NPObject saved in the NPObjectProxy.
The receiver does not validate whether this NPObject is valid before invoking on it.
While this is mostly fine, in the case of a compromised renderer invalid addresses could be passed back
to the plugin which would invoke on these addresses and crash.
Fix is to never pass raw object pointers across and just pass the corresponding routing id of the NPObjectStub.
The receiver validates this object by invoking a new method GetNPObjectListenerForRoute on the PluginChannelBase.
This method returns the corresponding NPObject listener for the routing id. We then retrieve the underlying NPObject
from the listener and use it.
The map of NPObjectListeners which is maintained by PluginChannelBase has been changed to hold NPObjectBase
pointers instead. NPObjectStub and NPObjectProxy implement the new NPObjectBase interface which provides
methods to return the underlying NPObject and the IPC::Channel::Listener pointer.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=31880
I verified with the steps outlined in the bug that this fix does address the underlying crash.
Bug=31880
Test=We need a framework to test PluginChannel and NPObjectProxy/Stub. Will add a test case for this
once we have this in place.
Review URL: http://codereview.chromium.org/548046
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36618 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
This frequently saves a tiny bit of code, but even when it doesn't I think it's more future-proof (less error-prone).
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/399096
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32708 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
to send an NPN_SetException back to the correct renderer if necessary. BUG=26764 TEST=none
Review URL: http://codereview.chromium.org/375005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32419 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
| |
BUG=22210 (this is not a partial mitigation, not a fix)
Review URL: http://codereview.chromium.org/399043
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32397 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
tomorrow's dev channel build and we can see if the crashes go away while I try to write a repro.
The only scenario that I can think of is that an NPObject in the plugin process has a deallocate function which releases an npobject from the renderer. That would cause the corresponding NPObjectProxy to go away, but since PluginChannel has in_remove_route_ set, the list won't get updated and in the future iteration of the loop we'll call the method on a deleted object.
BUG=25439
Review URL: http://codereview.chromium.org/327003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29839 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
processes to run nested message loops when a dialog is shown. Instead use an async message that's broadcast from the renderer to all plugin processes that are connected to it, and which is dispatched on the plugin IO thread to set a process-local waitable event. This fixes showModalDialog on Linux/Mac.
BUG=15891
TEST=covered by UI tests, undef's them for POSIX
Review URL: http://codereview.chromium.org/242043
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27456 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
http://codereview.chromium.org/165280 helped a lot, but it turns out that the ResourceClientProxy keep a reference to the channel, and it's hard to clean those in time.
To be on the safe side, remove the name->FD mapping when the channel is removed from the name->channel map.
Also remove it when a channel error occurs. Again, to be on the safe side, the channel is unusable at this point (the other side may have closed it already), so it's better to drop it.
BUG=18521
Review URL: http://codereview.chromium.org/171100
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23666 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This splits the ipc code from the common project. The 'common' project pulls in
all of webkit, the v8 bindings, skia, googleurl, and a number of other projects
which makes it very difficult to deal with especially for external projects
wanting just to use some of Chromium's infrastructure. This puts the ipc code
into its top-level ipc/ directory with a dependency only on base. The common
project depends on the new ipc/ipc.gyp:ipc target so that all projects currently
pulling common in to get the IPC code still have it available. This mostly
follows agl's pre-gyp attempt to do this which was r13062.
Known issues:
- Currently a number of projects depend on chrome/chrome.gyp:common in order to
use the IPC infrastructure. Rather than fixing all of these dependencies I have
made common depend on ipc/ipc.gyp:ipc and added "ipc" to the include_rules
section of DEPS so that checkdeps.py doesn't complain. Over time projects that
need IPC should depend on the IPC project themselves and dependencies on common
removed, although I don't think many projects that need IPC will be able to get
away without common currently.
- ipc/ipc_message_macros.h still has #include "chrome/common/..." inside of a
ipc/ should not refer to files in chrome/... now. I'm not sure how to resolve
this since it's really an IDE bug
- the named pipe name (windows+linux) and the logging event name (all) + env
variable (posix) refer explicitly to 'Chrome' which somewhat hurts the illusion
of ipc/ being an independent library. I think this should be examined in a
subsequent, much smaller patch.
- I've eliminated the IPC.SendMsgCount counter since it was implemented in a way
to create a dependency from ipc/ to chrome/common/chrome_counters. This is the
same approach that r13062 took.
http://codereview.chromium.org/155905
(Patch from James Robinson)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@21342 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
IPC channel (doh!).
BUG=119052
TEST=covered by ui test that Amit added
Review URL: http://codereview.chromium.org/119158
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17712 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
| |
They're ASCII anyway.
TEST=covered by existing tests
Review URL: http://codereview.chromium.org/119131
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17682 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This involves two plugin instances with second instance making
sync calls to the renderer while the first one is still servicing
an incoming sync request.
Our logic to unblock the renderer during the sync call fails
since the 'in_dispatch_' counter is maintained per plugin channel
(each plugin instance uses its own separate channel). Making
'in_dispatch_' counter static member of PluginChannelBase fixes this
deadlock.
Added a new NPAPI UI test for this scenario.
BUG=12624
TEST=MultipleInstancesSyncCalls
Review URL: http://codereview.chromium.org/119052
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17492 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The goal of this change is to *not* make any behavioral change, but to
instead just get all the plugin-related files linking on Linux with
a bunch of NOTIMPLEMENTED()s in the appropriate places. It's enormous
enough already without any refactorings or new features.
Changes include:
- Lots of gcc warning fixes.
- Use portable replacements for Windows-specific functions (_strdup, etc.).
- Use TransportDIB instead of just shared memory in the plugin messaging.
Note that this is not fleshed out on Linux and on Windows it just hacks
in the existing handles so there should be no functional change.
- Fix --plugin-launcher to use cross-platform APIs.
Review URL: http://codereview.chromium.org/79020
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@14338 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
This reverts commit r13062 which, unsurprisingly, broke the build.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@13063 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
(No review URL: Rietvelt couldn't cope)
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@13062 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
shutdown, to avoid races in which the browser process thinks the process is fine to use while it's shutting down. I also removed PluginProcess/WorkerProcess since they didn't have any code in them now.
I removed the plugin process code which waits 10 seconds before shutting itself down. That was a premature optimization, since testing with/without this didn't show any difference (see http://www/~jabdelmalek/chrome/test/plugins/processes.html). In both cases, the plugin on a page would get recreated in less than 100ms, even with reusing or starting a plugin process from scratch. We already spawn new renderer processes on back and forth if it's a different origin, and the plugin will be in the cache anyways.
Review URL: http://codereview.chromium.org/53091
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12703 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
| |
Fix files with lines > 80 cols. Part 2.
Review URL: http://codereview.chromium.org/40226
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11326 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
ChildProcess now owns the ChildThread, which removes duplicate code and simplifies things.
Clean up ChildProcess, there really was no need for all the templates and statics in it and its subclasses.
Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=10080
Review URL: http://codereview.chromium.org/21502
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10144 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
| |
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10082 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
| |
ChildProcess now owns the ChildThread, which removes duplicate code and simplifies things.
Clean up ChildProcess, there really was no need for all the templates and statics in it and its subclasses.
Review URL: http://codereview.chromium.org/21502
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10080 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
|
|
| |
which does the right thing based on whatever platform we're
compiling for, along with changing the hardcoded "stdext::",
which is a MSVC++ism to use base::hash_{map,set}.
B=1869
Review URL: http://codereview.chromium.org/1629
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@1862 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
| |
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@1287 0039d316-1c4b-4281-b951-d872f2087c98
|
| |
|
|
|
|
|
|
|
| |
blocking calls. This replaces my previous CL that was somehow duplicating some of these functionalities.
BUG=None
TEST=Run the unit tests.
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@691 0039d316-1c4b-4281-b951-d872f2087c98
|
|
|
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@15 0039d316-1c4b-4281-b951-d872f2087c98
|
