From 67d3db3299f54699716f9b736ddc22a522af7b81 Mon Sep 17 00:00:00 2001 From: "jam@chromium.org" Date: Tue, 4 Nov 2008 00:40:27 +0000 Subject: Fix for crash in NPN_Invoke. This happened because the window script NPObject was deallocated by the script controller but WebPluginDelegateProxy wasn't telling NPObjectStub that it's contained object was garbage soon enough. BUG=1036087 Review URL: http://codereview.chromium.org/9066 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@4526 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/renderer/webplugin_delegate_proxy.cc | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'chrome/renderer/webplugin_delegate_proxy.cc') diff --git a/chrome/renderer/webplugin_delegate_proxy.cc b/chrome/renderer/webplugin_delegate_proxy.cc index 315fc89..67dcce2 100644 --- a/chrome/renderer/webplugin_delegate_proxy.cc +++ b/chrome/renderer/webplugin_delegate_proxy.cc @@ -149,30 +149,32 @@ WebPluginDelegateProxy::WebPluginDelegateProxy(const std::string& mime_type, } WebPluginDelegateProxy::~WebPluginDelegateProxy() { - if (npobject_) +} + +void WebPluginDelegateProxy::PluginDestroyed() { + plugin_ = NULL; + + if (npobject_) { + // When we destroy the plugin instance, the NPObjectStub NULLs out its + // pointer to the npobject (see NPObjectStub::OnChannelError). Therefore, + // we release the object before destroying the instance to avoid leaking. NPN_ReleaseObject(npobject_); + npobject_ = NULL; + } if (window_script_object_) { + // The ScriptController deallocates this object independent of its ref count + // to avoid leaks if the plugin forgets to release it. So mark the object + // invalid to avoid accessing it past this point. window_script_object_->set_proxy(NULL); window_script_object_->set_invalid(); } -} - -void WebPluginDelegateProxy::PluginDestroyed() { - plugin_ = NULL; if (channel_host_) { - if (npobject_) { - // When we destroy the plugin instance, the NPObjectStub NULLs out its - // pointer to the npobject (see NPObjectStub::OnChannelError). Therefore, - // we release the object before destroying the instance to avoid leaking. - NPN_ReleaseObject(npobject_); - npobject_ = NULL; - } - channel_host_->RemoveRoute(instance_id_); Send(new PluginMsg_DestroyInstance(instance_id_)); } + render_view_->PluginDestroyed(this); MessageLoop::current()->DeleteSoon(FROM_HERE, this); } -- cgit v1.1