From 8ec7bcff01381b7555f4dd1acc7184623dff5fd9 Mon Sep 17 00:00:00 2001 From: "ananta@chromium.org" Date: Mon, 17 May 2010 21:06:13 +0000 Subject: In ChromeFrame the ChromeFrameAutomationProxy object is created on the background proxy channel thread and is accessed from the UI thread, the proxy channel thread and the IPC thread. This leads to a race condition when ChromeFrame is being torn down which occurs because the ChromeFrameAutomationProxy pointer is being set to NULL in the UI thread/deleted in the proxy background thread while it could be accessed while processing a callback in the IPC thread thus causing a crash. Fix is to ensure that the IPC thread does not access the ChromeFrameAutomationProxy pointer. To achieve this the callbacks are now individual context objects which when invoked forward the actions to the ChromeFrameAutomationClient object. The CreateExternalTab and ConnectExternalTab callbacks now complete their actions on the UI thread. While at this based on a discussion and lot of help from Stoyan we decided to clean up the sync message dispatching code used by ChromeFrame by having callbacks now derive from a SyncMessageCallContext class to ensure that these get cleaned up correctly in all cases. For e.g. if we don't receive a response for a message, etc and thus enable them to present a consistent interface to be invoked when we receive a response for a IPc message. Fixes bug http://code.google.com/p/chromium/issues/detail?id=44245 Bug=44245 Review URL: http://codereview.chromium.org/2073007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47453 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome_frame/chrome_frame_automation.h | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'chrome_frame/chrome_frame_automation.h') diff --git a/chrome_frame/chrome_frame_automation.h b/chrome_frame/chrome_frame_automation.h index 01a64ac..3461eba2 100644 --- a/chrome_frame/chrome_frame_automation.h +++ b/chrome_frame/chrome_frame_automation.h @@ -23,6 +23,7 @@ #include "chrome_frame/chrome_frame_delegate.h" #include "chrome_frame/chrome_frame_histograms.h" #include "chrome_frame/plugin_url_request.h" +#include "chrome_frame/sync_msg_reply_dispatcher.h" // By a convoluated route, this timeout also winds up being the sync automation // message timeout. See the ChromeFrameAutomationProxyImpl ctor and the @@ -35,8 +36,10 @@ enum AutomationPageFontSize; struct DECLSPEC_NOVTABLE ChromeFrameAutomationProxy { // NOLINT virtual bool Send(IPC::Message* msg) = 0; - virtual void SendAsAsync(IPC::SyncMessage* msg, void* callback, - void* key) = 0; + virtual void SendAsAsync( + IPC::SyncMessage* msg, + SyncMessageReplyDispatcher::SyncMessageCallContext* context, + void* key) = 0; virtual void CancelAsync(void* key) = 0; virtual scoped_refptr CreateTabProxy(int handle) = 0; virtual void ReleaseTabProxy(AutomationHandle handle) = 0; @@ -55,7 +58,10 @@ class ChromeFrameAutomationProxyImpl : public ChromeFrameAutomationProxy, // .. and non-public inheritance is verboten. public AutomationProxy { public: - virtual void SendAsAsync(IPC::SyncMessage* msg, void* callback, void* key); + virtual void SendAsAsync( + IPC::SyncMessage* msg, + SyncMessageReplyDispatcher::SyncMessageCallContext* context, + void* key); virtual void CancelAsync(void* key); @@ -362,6 +368,9 @@ class ChromeFrameAutomationClient virtual void OnCookiesRetrieved(bool success, const GURL& url, const std::string& cookie_string, int cookie_id); + friend class BeginNavigateContext; + friend class CreateExternalTabContext; + public: void SetUrlFetcher(PluginUrlRequestManager* url_fetcher) { DCHECK(url_fetcher != NULL); -- cgit v1.1