Fix a race condition in the Java Bridge when adding objects

content/renderer/java/java_bridge_dispatcher.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/java/java_bridge_dispatcher.h"
 
 #include "content/common/child_process.h"
 #include "content/common/java_bridge_messages.h"
 #include "content/common/npobject_util.h"  // For CreateNPVariant()
 #include "content/public/renderer/render_thread.h"
 #include "content/public/renderer/render_view.h"
 #include "content/renderer/java/java_bridge_channel.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebBindings.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebDocument.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebFrame.h"
 #include "third_party/WebKit/Source/WebKit/chromium/public/WebView.h"
 
 JavaBridgeDispatcher::JavaBridgeDispatcher(
-    content::RenderView* render_view,
-    const IPC::ChannelHandle& channel_handle)
+    content::RenderView* render_view)
     : RenderViewObserver(render_view) {
+}
+
+void JavaBridgeDispatcher::EnsureChannelIsSetUp() {
+  if (channel_.get()) {
+    return;
+  }
+
+  IPC::ChannelHandle channel_handle;
+  render_view()->Send(new JavaBridgeMsg_GetChannelHandle(

[jam, 2011/12/07 22:07:03]

nit: "render_view()->" isn't needed, and render_view()->GetRoutingId() can just
be "routing_id(). Send() and routing_id() are methods on RenderViewObserver.

[Steve Block, 2011/12/08 11:17:56]

Done.

+      render_view()->GetRoutingId(),
+      &channel_handle));
+
   channel_.reset(JavaBridgeChannel::GetJavaBridgeChannel(
       channel_handle, ChildProcess::current()->io_message_loop_proxy()));
 }
 
 JavaBridgeDispatcher::~JavaBridgeDispatcher() {
   for (ObjectMap::const_iterator iter = objects_.begin();
       iter != objects_.end(); ++iter) {
     WebKit::WebBindings::releaseObject(NPVARIANT_TO_OBJECT(iter->second));
   }
 }
@@ skipping 23 matching lines @@
     // deleted at any time after OnRemoveNamedObject() is called.
     web_frame->bindToWindowObject(iter->first,
         NPVARIANT_TO_OBJECT(iter->second));
   }
 }
 
 void JavaBridgeDispatcher::OnAddNamedObject(
     const string16& name,
     const NPVariant_Param& variant_param) {
   DCHECK_EQ(variant_param.type, NPVARIANT_PARAM_SENDER_OBJECT_ROUTING_ID);
+
+  EnsureChannelIsSetUp();
+
   // This creates an NPObject, wrapped as an NPVariant. We don't need the
   // containing window or the page URL, as we don't do re-entrant sync IPC.
   NPVariant variant;
   bool created =
       CreateNPVariant(variant_param, channel_.get(), &variant, 0, GURL());
   DCHECK(created);
   DCHECK_EQ(variant.type, NPVariantType_Object);
 
   // The NPObject is created with a ref count of one, which we remove when
   // OnRemoveNamedObject() is called for that object.
   ObjectMap::iterator iter = objects_.find(name);
   if (iter != objects_.end()) {
     WebKit::WebBindings::releaseObject(NPVARIANT_TO_OBJECT(iter->second));
   }
   objects_[name] = variant;
 }
 
 void JavaBridgeDispatcher::OnRemoveNamedObject(const string16& name) {
   // Removing an object does not unbind it from JavaScript until the window
   // object is next cleared. Note that the browser checks that the named object
   // is present.
   ObjectMap::iterator iter = objects_.find(name);
   DCHECK(iter != objects_.end());
   WebKit::WebBindings::releaseObject(NPVARIANT_TO_OBJECT(iter->second));
   objects_.erase(iter);
 }