| OLD | NEW |
|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/plugin/npobject_stub.h" | 5 #include "content/plugin/npobject_stub.h" |
| 6 | 6 |
| 7 #include "content/common/content_client.h" | 7 #include "content/common/content_client.h" |
| 8 #include "content/common/plugin_messages.h" | 8 #include "content/common/plugin_messages.h" |
| 9 #include "content/plugin/npobject_util.h" | 9 #include "content/plugin/npobject_util.h" |
| 10 #include "content/plugin/plugin_channel_base.h" | 10 #include "content/plugin/plugin_channel_base.h" |
| 11 #include "content/plugin/plugin_thread.h" | 11 #include "content/plugin/plugin_thread.h" |
| 12 #include "third_party/npapi/bindings/npapi.h" | 12 #include "third_party/npapi/bindings/npapi.h" |
| 13 #include "third_party/npapi/bindings/npruntime.h" | 13 #include "third_party/npapi/bindings/npruntime.h" |
| 14 #include "third_party/WebKit/Source/WebKit/chromium/public/WebBindings.h" | 14 #include "third_party/WebKit/Source/WebKit/chromium/public/WebBindings.h" |
| 15 #include "webkit/plugins/npapi/plugin_constants_win.h" | 15 #include "webkit/plugins/npapi/plugin_constants_win.h" |
| 16 | 16 |
| 17 using WebKit::WebBindings; | 17 using WebKit::WebBindings; |
| 18 | 18 |
| 19 NPObjectStub::NPObjectStub( | 19 NPObjectStub::NPObjectStub( |
| 20 NPObject* npobject, | 20 NPObject* npobject, |
| 21 PluginChannelBase* channel, | 21 PluginChannelBase* channel, |
| 22 int route_id, | 22 int route_id, |
| 23 gfx::NativeViewId containing_window, | 23 gfx::NativeViewId containing_window, |
| 24 const GURL& page_url) | 24 const GURL& page_url) |
| 25 : npobject_(npobject), | 25 : has_deletion_stack_trace_(false), |
| 26 liveness_token_(kTokenAlive), |
| 27 npobject_(npobject), |
| 26 channel_(channel), | 28 channel_(channel), |
| 27 route_id_(route_id), | 29 route_id_(route_id), |
| 28 containing_window_(containing_window), | 30 containing_window_(containing_window), |
| 29 page_url_(page_url) { | 31 page_url_(page_url) { |
| 30 channel_->AddMappingForNPObjectStub(route_id, npobject); | 32 channel_->AddMappingForNPObjectStub(route_id, npobject); |
| 31 channel_->AddRoute(route_id, this, this); | 33 channel_->AddRoute(route_id, this, this); |
| 32 | 34 |
| 33 // We retain the object just as PluginHost does if everything was in-process. | 35 // We retain the object just as PluginHost does if everything was in-process. |
| 34 WebBindings::retainObject(npobject_); | 36 WebBindings::retainObject(npobject_); |
| 35 } | 37 } |
| 36 | 38 |
| 37 NPObjectStub::~NPObjectStub() { | 39 NPObjectStub::~NPObjectStub() { |
| 40 // Crash if this is a double free! |
| 41 CheckIsAlive(); |
| 42 |
| 38 channel_->RemoveRoute(route_id_); | 43 channel_->RemoveRoute(route_id_); |
| 39 CHECK(!npobject_); | 44 CHECK(!npobject_); |
| 45 |
| 46 // Mark the object as dead. |
| 47 liveness_token_ = kTokenDead; |
| 48 |
| 49 if (!has_deletion_stack_trace_) { |
| 50 // We will probably have already set a more specific stack trace from |
| 51 // DeleteSoonHelper. In case we got deleted from somewhere else, save the |
| 52 // current thread's stack trace. |
| 53 has_deletion_stack_trace_ = true; |
| 54 deletion_stack_trace_ = base::debug::StackTrace(); |
| 55 } |
| 56 |
| 57 // I doubt this is necessary to prevent optimization, but it can't hurt. |
| 58 base::debug::Alias(&liveness_token_); |
| 59 base::debug::Alias(&has_deletion_stack_trace_); |
| 60 base::debug::Alias(&deletion_stack_trace_); |
| 61 } |
| 62 |
| 63 // static |
| 64 void NPObjectStub::DeleteSoonHelper( |
| 65 const base::debug::StackTrace& task_origin_stack_trace, |
| 66 NPObjectStub* stub) { |
| 67 // Make sure the deletion stacktrace is going to be on the stack. |
| 68 base::debug::StackTrace origin = task_origin_stack_trace; |
| 69 base::debug::Alias(&origin); |
| 70 |
| 71 stub->CheckIsAlive(); |
| 72 |
| 73 // Use the task origin's stacktrace as our deletion stacktrace |
| 74 // (rather than the current thread's callstack). |
| 75 stub->has_deletion_stack_trace_ = true; |
| 76 stub->deletion_stack_trace_ = task_origin_stack_trace; |
| 77 |
| 78 delete stub; |
| 79 } |
| 80 |
| 81 void NPObjectStub::CheckIsAlive() { |
| 82 // Copy the deletion stacktrace onto stack in case we crash. |
| 83 base::debug::StackTrace deletion_stack_trace = deletion_stack_trace_; |
| 84 base::debug::Alias(&deletion_stack_trace); |
| 85 |
| 86 // Copy the token onto stack in case it mismatches so we can explore its |
| 87 // value. |
| 88 int liveness_token = liveness_token_; |
| 89 base::debug::Alias(&liveness_token); |
| 90 |
| 91 CHECK_EQ(liveness_token, kTokenAlive); |
| 40 } | 92 } |
| 41 | 93 |
| 42 void NPObjectStub::DeleteSoon(bool release_npobject) { | 94 void NPObjectStub::DeleteSoon(bool release_npobject) { |
| 95 CheckIsAlive(); |
| 96 |
| 43 if (npobject_) { | 97 if (npobject_) { |
| 44 channel_->RemoveMappingForNPObjectStub(route_id_, npobject_); | 98 channel_->RemoveMappingForNPObjectStub(route_id_, npobject_); |
| 45 if (release_npobject) | 99 if (release_npobject) |
| 46 WebBindings::releaseObject(npobject_); | 100 WebBindings::releaseObject(npobject_); |
| 47 npobject_ = NULL; | 101 npobject_ = NULL; |
| 48 MessageLoop::current()->DeleteSoon(FROM_HERE, this); | 102 MessageLoop::current()->PostTask( |
| 103 FROM_HERE, |
| 104 NewRunnableFunction( |
| 105 &NPObjectStub::DeleteSoonHelper, |
| 106 base::debug::StackTrace(), |
| 107 this)); |
| 49 } | 108 } |
| 50 } | 109 } |
| 51 | 110 |
| 52 bool NPObjectStub::Send(IPC::Message* msg) { | 111 bool NPObjectStub::Send(IPC::Message* msg) { |
| 112 CheckIsAlive(); |
| 53 return channel_->Send(msg); | 113 return channel_->Send(msg); |
| 54 } | 114 } |
| 55 | 115 |
| 56 NPObject* NPObjectStub::GetUnderlyingNPObject() { | 116 NPObject* NPObjectStub::GetUnderlyingNPObject() { |
| 57 return npobject_; | 117 return npobject_; |
| 58 } | 118 } |
| 59 | 119 |
| 60 IPC::Channel::Listener* NPObjectStub::GetChannelListener() { | 120 IPC::Channel::Listener* NPObjectStub::GetChannelListener() { |
| 61 return static_cast<IPC::Channel::Listener*>(this); | 121 return static_cast<IPC::Channel::Listener*>(this); |
| 62 } | 122 } |
| (...skipping 315 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 378 | 438 |
| 379 bool return_value = WebBindings::evaluateHelper(0, popups_allowed, npobject_, | 439 bool return_value = WebBindings::evaluateHelper(0, popups_allowed, npobject_, |
| 380 &script_string, &result_var); | 440 &script_string, &result_var); |
| 381 | 441 |
| 382 NPVariant_Param result_param; | 442 NPVariant_Param result_param; |
| 383 CreateNPVariantParam( | 443 CreateNPVariantParam( |
| 384 result_var, channel_, &result_param, true, containing_window_, page_url_); | 444 result_var, channel_, &result_param, true, containing_window_, page_url_); |
| 385 NPObjectMsg_Evaluate::WriteReplyParams(reply_msg, result_param, return_value); | 445 NPObjectMsg_Evaluate::WriteReplyParams(reply_msg, result_param, return_value); |
| 386 channel_->Send(reply_msg); | 446 channel_->Send(reply_msg); |
| 387 } | 447 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 7748024:
Add some instrumentation to catch the source of a potential double-free. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/