PPAPI: Fix GetBrowserInterface race conditions

ppapi/proxy/interface_list.cc

Index: ppapi/proxy/interface_list.cc
diff --git a/ppapi/proxy/interface_list.cc b/ppapi/proxy/interface_list.cc
index 295069e706d0b96bf7dfabe9715b93143e711984..64aff065cc29355607576bce0d34ee44761b7886 100644
--- a/ppapi/proxy/interface_list.cc
+++ b/ppapi/proxy/interface_list.cc
@@ -319,6 +319,8 @@ InterfaceList::~InterfaceList() {
 
 // static
 InterfaceList* InterfaceList::GetInstance() {
+  // CAUTION: This function is called without the ProxyLock to avoid excessive
+  // excessive locking from C++ wrappers. (See also GetBrowserInterface.)
   return Singleton<InterfaceList>::get();
 }
 
@@ -337,20 +339,19 @@ InterfaceProxy::Factory InterfaceList::GetFactoryForID(ApiID id) const {
 }
 
 const void* InterfaceList::GetInterfaceForPPB(const std::string& name) {
+  // CAUTION: This function is called without the ProxyLock to avoid excessive
+  // excessive locking from C++ wrappers. (See also GetBrowserInterface.)
   NameToInterfaceInfoMap::iterator found =
       name_to_browser_info_.find(name);
   if (found == name_to_browser_info_.end())
     return NULL;
 
   if (g_process_global_permissions.Get().HasPermission(
-          found->second.required_permission)) {
+          found->second->required_permission())) {
     // Only log interface use once per plugin.
-    if (!found->second.interface_logged) {
-      PluginGlobals::Get()->GetBrowserSender()->Send(
-          new PpapiHostMsg_LogInterfaceUsage(HashInterfaceName(name)));
-      found->second.interface_logged = true;
-    }
-    return found->second.iface;
+    found->second->LogWithUmaOnce(
+        PluginGlobals::Get()->GetBrowserSender(), name);
+    return found->second->iface();
   }
   return NULL;
 }
@@ -360,7 +361,18 @@ const void* InterfaceList::GetInterfaceForPPP(const std::string& name) const {
       name_to_plugin_info_.find(name);
   if (found == name_to_plugin_info_.end())
     return NULL;
-  return found->second.iface;
+  return found->second->iface();
+}
+
+void InterfaceList::InterfaceInfo::LogWithUmaOnce(
+    IPC::Sender* sender, const std::string& name) {
+  base::AutoLock acquire(sent_to_uma_lock_);
+  if (!sent_to_uma_) {

[teravest, 2014/09/12 21:00:17]

nit: I believe you could reduce the critical section as follows:
{
  {
    base::AutoLock acquire(sent_to_uma_lock_);
    if (sent_to_uma_) {
      return;
    }
    sent_to_uma_ = true;
  }
  PluginGlobals::Get()->GetBrowserSender()->Send(...);
}

It's only sent_to_uma_ that has to be protected under the lock, not the
GetBrowserSender()/Send() calls.

...that said, what's here is probably acceptable too.

[dmichael (off chromium), 2014/09/12 22:21:19]

Good point. Probably has no practical performance impact, but it makes it more
obvious what we're actually guarding. Done.

+    int hash = InterfaceList::HashInterfaceName(name);
+    PluginGlobals::Get()->GetBrowserSender()->Send(
+        new PpapiHostMsg_LogInterfaceUsage(hash));
+    sent_to_uma_ = true;
+  }
 }
 
 void InterfaceList::AddProxy(ApiID id,
@@ -383,16 +395,18 @@ void InterfaceList::AddPPB(const char* name,
                            const void* iface,
                            Permission perm) {
   DCHECK(name_to_browser_info_.find(name) == name_to_browser_info_.end());
-  name_to_browser_info_[name] = InterfaceInfo(iface, perm);
+  name_to_browser_info_.add(
+      name, scoped_ptr<InterfaceInfo>(new InterfaceInfo(iface, perm)));
 }
 
 void InterfaceList::AddPPP(const char* name,
                            const void* iface) {
   DCHECK(name_to_plugin_info_.find(name) == name_to_plugin_info_.end());
-  name_to_plugin_info_[name] = InterfaceInfo(iface, PERMISSION_NONE);
+  name_to_plugin_info_.add(
+      name,
+      scoped_ptr<InterfaceInfo>(new InterfaceInfo(iface, PERMISSION_NONE)));
 }
 
-// static
 int InterfaceList::HashInterfaceName(const std::string& name) {
   uint32 data = base::Hash(name.c_str(), name.size());
   // Strip off the signed bit because UMA doesn't support negative values,