From 3502a996955e749fa48f202ee27a63fbda528c03 Mon Sep 17 00:00:00 2001
From: "brettw@chromium.org"
 <brettw@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Mon, 18 Apr 2011 20:51:18 +0000
Subject: Keep the module in scope when executing scripts. This prevents a
 crash when the script deletes the plugin object synchronously. This in turn
 deletes the dispatcher which will make the code returning the out param and
 exception to the plugin crash.

To prevent the crash, this patch adds a way for the proxy to manipulate the
refcount of the plugin object so that it's still alive when as long as the
scripting message is being processed.

A manual test is included. This is not automatically run now. I tried to fit it
into the current test infrastructure and found it very challenging, We need to
revisit this to allow custom tests to more easily be written.

TEST=manual with included plugin and html
BUG=none
Review URL: http://codereview.chromium.org/6881012

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81993 0039d316-1c4b-4281-b951-d872f2087c98
---
 webkit/plugins/ppapi/ppapi_plugin_instance.cc |  2 ++
 webkit/plugins/ppapi/ppb_proxy_impl.cc        | 16 +++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

(limited to 'webkit/plugins')

diff --git a/webkit/plugins/ppapi/ppapi_plugin_instance.cc b/webkit/plugins/ppapi/ppapi_plugin_instance.cc
index cd2d59f..78df75b 100644
--- a/webkit/plugins/ppapi/ppapi_plugin_instance.cc
+++ b/webkit/plugins/ppapi/ppapi_plugin_instance.cc
@@ -664,6 +664,8 @@ PP_Var PluginInstance::ExecuteScript(PP_Var script, PP_Var* exception) {
   NPVariant result;
   bool ok = WebBindings::evaluate(NULL, frame->windowObject(), &np_script,
                                   &result);
+  // DANGER! |this| could be deleted at this point if the script removed the
+  // plugin from the DOM.
   if (!ok) {
     // TODO(brettw) bug 54011: The TryCatch isn't working properly and
     // doesn't actually catch this exception.
diff --git a/webkit/plugins/ppapi/ppb_proxy_impl.cc b/webkit/plugins/ppapi/ppb_proxy_impl.cc
index 9c69891..fc861af 100644
--- a/webkit/plugins/ppapi/ppb_proxy_impl.cc
+++ b/webkit/plugins/ppapi/ppb_proxy_impl.cc
@@ -44,11 +44,25 @@ int32_t GetURLLoaderBufferedBytes(PP_Resource url_loader) {
   return loader->buffer_size();
 }
 
+void AddRefModule(PP_Module module) {
+  PluginModule* plugin_module = ResourceTracker::Get()->GetModule(module);
+  if (plugin_module)
+    plugin_module->AddRef();
+}
+
+void ReleaseModule(PP_Module module) {
+  PluginModule* plugin_module = ResourceTracker::Get()->GetModule(module);
+  if (plugin_module)
+    plugin_module->Release();
+}
+
 const PPB_Proxy_Private ppb_proxy = {
   &PluginCrashed,
   &GetInstanceForResource,
   &SetReserveInstanceIDCallback,
-  &GetURLLoaderBufferedBytes
+  &GetURLLoaderBufferedBytes,
+  &AddRefModule,
+  &ReleaseModule
 };
 
 }  // namespace
-- 
cgit v1.1