Ensure we don't leak ObjectProxy objects

ppapi/proxy/ppp_class_proxy.cc

Index: ppapi/proxy/ppp_class_proxy.cc
diff --git a/ppapi/proxy/ppp_class_proxy.cc b/ppapi/proxy/ppp_class_proxy.cc
index f8301e013eb04f9b3bb82af0090851bac1add18c..d269861de21d65da6955f40bfeef062b48246b2b 100644
--- a/ppapi/proxy/ppp_class_proxy.cc
+++ b/ppapi/proxy/ppp_class_proxy.cc
@@ -8,6 +8,7 @@
 #include "ppapi/c/dev/ppp_class_deprecated.h"
 #include "ppapi/c/pp_var.h"
 #include "ppapi/proxy/dispatcher.h"
+#include "ppapi/proxy/host_dispatcher.h"
 #include "ppapi/proxy/plugin_globals.h"
 #include "ppapi/proxy/ppapi_messages.h"
 #include "ppapi/proxy/serialized_var.h"
@@ -24,20 +25,25 @@ namespace {
 // Represents a plugin-implemented class in the browser process. This just
 // stores the data necessary to call back the plugin.
 struct ObjectProxy {
-  ObjectProxy(Dispatcher* d, int64_t p, int64_t ud)
-      : dispatcher(d), ppp_class(p), user_data(ud) {}
+  ObjectProxy(Dispatcher* d, int64_t p, int64_t ud, PP_Instance inst)
+      : dispatcher(d), ppp_class(p), user_data(ud), instance(inst) {}
 
   Dispatcher* dispatcher;
   int64_t ppp_class;
   int64_t user_data;
+  PP_Instance instance;
 };
 
 ObjectProxy* ToObjectProxy(void* data) {
   ObjectProxy* obj = reinterpret_cast<ObjectProxy*>(data);
-  if (!obj || !obj->dispatcher)
-    return NULL;
+  if (!obj)
+    return nullptr;
+  Dispatcher* dispatcher = HostDispatcher::GetForInstance(obj->instance);
+  if (!dispatcher)
+    return nullptr;
+  DCHECK_EQ(dispatcher, obj->dispatcher);
   if (!obj->dispatcher->permissions().HasPermission(PERMISSION_DEV))
-    return NULL;
+    return nullptr;
   return obj;
 }
 
@@ -162,8 +168,12 @@ PP_Var Construct(void* object,
 
 void Deallocate(void* object) {
   ObjectProxy* obj = ToObjectProxy(object);
-  if (!obj)
+  if (!obj) {
+    // Take care to delete the object even if we can't use it to notify the
+    // plugin.
+    delete reinterpret_cast<ObjectProxy*>(object);

[piman, 2016/03/29 18:28:51]

nit: static_cast

     return;
+  }
 
   obj->dispatcher->Send(new PpapiMsg_PPPClass_Deallocate(
       API_ID_PPP_CLASS, obj->ppp_class, obj->user_data));
@@ -219,8 +229,8 @@ PP_Var PPP_Class_Proxy::CreateProxiedObject(const PPB_Var_Deprecated* var,
                                             PP_Instance instance_id,
                                             int64_t ppp_class,
                                             int64_t class_data) {
-  ObjectProxy* object_proxy = new ObjectProxy(dispatcher,
-                                              ppp_class, class_data);

[raymes, 2016/04/05 07:48:46]

piman: how about tracking these objects, either in a static std::map that lives
in this file or in HostVarTracker. They would be cleaned up on instance
deletion.

A more hacky but easier alternative would be to just delete the pointer in
PluginObject. We know for sure that it was always allocated here. I think this
code could probably be unwound to pass this object directly into PluginObject
and manage the lifetime there but it would be a lot of work. 

+  ObjectProxy* object_proxy =
+      new ObjectProxy(dispatcher, ppp_class, class_data, instance_id);
   return var->CreateObject(instance_id, &class_interface, object_proxy);
 }