Fix scripting during NPP_Destroy. Note that if the plugin is making a call t...

chrome/plugin/npobject_stub.cc

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/plugin/npobject_stub.h"
 
 #include "chrome/common/child_process_logging.h"
 #include "chrome/common/plugin_messages.h"
 #include "chrome/plugin/npobject_util.h"
 #include "chrome/plugin/plugin_channel_base.h"
 #include "chrome/plugin/plugin_thread.h"
-#include "chrome/renderer/webplugin_delegate_proxy.h"
 #include "third_party/npapi/bindings/npapi.h"
 #include "third_party/npapi/bindings/npruntime.h"
 #include "webkit/api/public/WebBindings.h"
 #include "webkit/glue/plugins/plugin_constants_win.h"
 
 using WebKit::WebBindings;
 
 NPObjectStub::NPObjectStub(
     NPObject* npobject,
     PluginChannelBase* channel,
     int route_id,
     gfx::NativeViewId containing_window,
     const GURL& page_url)
     : npobject_(npobject),
       channel_(channel),
       route_id_(route_id),
-      valid_(true),
-      web_plugin_delegate_proxy_(NULL),
       containing_window_(containing_window),
       page_url_(page_url) {
   channel_->AddRoute(route_id, this, true);
 
   // We retain the object just as PluginHost does if everything was in-process.
   WebBindings::retainObject(npobject_);
 }
 
 NPObjectStub::~NPObjectStub() {
-  if (web_plugin_delegate_proxy_)
-    web_plugin_delegate_proxy_->DropWindowScriptObject();
-
   channel_->RemoveRoute(route_id_);
-  if (npobject_ && valid_)
+  if (npobject_)
     WebBindings::releaseObject(npobject_);
 }
 
 bool NPObjectStub::Send(IPC::Message* msg) {
   return channel_->Send(msg);
 }
 
+void NPObjectStub::OnPluginDestroyed() {
+  // We null out the underlying NPObject pointer since it's not valid anymore (
+  // ScriptController manually deleted the object).  As a result,
+  // OnMessageReceived won't dispatch any more messages.  Since this includes
+  // OnRelease, this object won't get deleted until OnChannelError which might
+  // not happen for a long time if this renderer process has a long lived
+  // plugin instance to the same process.  So we delete this object manually.
+  npobject_ = NULL;
+  MessageLoop::current()->DeleteSoon(FROM_HERE, this);
+}
+
 void NPObjectStub::OnMessageReceived(const IPC::Message& msg) {
   child_process_logging::ScopedActiveURLSetter url_setter(page_url_);
 
-  if (!valid_) {
+  if (!npobject_) {
     if (msg.is_sync()) {
       // The object could be garbage because the frame has gone away, so
       // just send an error reply to the caller.
       IPC::Message* reply = IPC::SyncMessage::GenerateReply(&msg);
       reply->set_reply_error();
       Send(reply);
     }
 
     return;
   }
 
   IPC_BEGIN_MESSAGE_MAP(NPObjectStub, msg)
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NPObjectMsg_Release, OnRelease);
     IPC_MESSAGE_HANDLER(NPObjectMsg_HasMethod, OnHasMethod);
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NPObjectMsg_Invoke, OnInvoke);
     IPC_MESSAGE_HANDLER(NPObjectMsg_HasProperty, OnHasProperty);
     IPC_MESSAGE_HANDLER(NPObjectMsg_GetProperty, OnGetProperty);
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NPObjectMsg_SetProperty, OnSetProperty);
     IPC_MESSAGE_HANDLER(NPObjectMsg_RemoveProperty, OnRemoveProperty);
     IPC_MESSAGE_HANDLER(NPObjectMsg_Invalidate, OnInvalidate);
     IPC_MESSAGE_HANDLER(NPObjectMsg_Enumeration, OnEnumeration);
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NPObjectMsg_Construct, OnConstruct);
     IPC_MESSAGE_HANDLER_DELAY_REPLY(NPObjectMsg_Evaluate, OnEvaluate);
     IPC_MESSAGE_HANDLER(NPObjectMsg_SetException, OnSetException);
     IPC_MESSAGE_UNHANDLED_ERROR()
   IPC_END_MESSAGE_MAP()
 }
 
 void NPObjectStub::OnChannelError() {
-  // When the plugin process is shutting down, all the NPObjectStubs
-  // destructors are called.  However the plugin dll might have already
-  // been released, in which case the NPN_ReleaseObject will cause a crash.
-  npobject_ = NULL;

[jam, 2009/10/06 07:10:48]

note: I tracked this code to
http://chrome-corpsvn.mtv/viewvc?view=rev&root=chrome&revision=11685, which was
a crash in LayoutPluginTester.UnloadNoCrash.  This code isn't needed anymore
since we now unload the plugin dll at process destruction, which is after we
have released all the NPObjectStub objects.  The test also runs fine with this
change.

   delete this;
 }
 
 void NPObjectStub::OnRelease(IPC::Message* reply_msg) {
   Send(reply_msg);
   delete this;
 }
 
 void NPObjectStub::OnHasMethod(const NPIdentifier_Param& name,
                                bool* result) {
@@ skipping 272 matching lines @@
 }
 
 void NPObjectStub::OnSetException(const std::string& message) {
   if (IsPluginProcess()) {
     NOTREACHED() << "Should only be called on NPObjects in the renderer";
     return;
   }
 
   WebBindings::setException(npobject_, message.c_str());
 }