PPAPI: Never re-enter JavaScript for PostMessage.

content/renderer/pepper/message_channel.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/pepper/message_channel.h"
 
 #include <cstdlib>
 #include <string>
 
 #include "base/bind.h"
@@ skipping 92 matching lines @@
   return message_channel;
 }
 
 MessageChannel::~MessageChannel() {
   passthrough_object_.Reset();
   if (instance_)
     instance_->MessageChannelDestroyed();
 }
 
 void MessageChannel::InstanceDeleted() {
+  ppapi::proxy::HostDispatcher* dispatcher =
+      ppapi::proxy::HostDispatcher::GetForInstance(instance_->pp_instance());
+  // The dispatcher is NULL for in-process.
+  if (dispatcher)
+    dispatcher->RemoveSyncMessageStatusObserver(this);
+
   instance_ = NULL;
 }
 
 void MessageChannel::PostMessageToJavaScript(PP_Var message_data) {
   v8::HandleScope scope(v8::Isolate::GetCurrent());
 
   // Because V8 is probably not on the stack for Native->JS calls, we need to
   // enter the appropriate context for the plugin.
   v8::Local<v8::Context> context = instance_->GetContext();
   if (context.IsEmpty())
     return;
 
   v8::Context::Scope context_scope(context);
 
   v8::Handle<v8::Value> v8_val;
   if (!V8VarConverter(instance_->pp_instance())
            .ToV8Value(message_data, context, &v8_val)) {
     PpapiGlobals::Get()->LogWithSource(instance_->pp_instance(),
                                        PP_LOGLEVEL_ERROR,
                                        std::string(),
                                        kVarToV8ConversionError);
     return;
   }
 
   WebSerializedScriptValue serialized_val =
       WebSerializedScriptValue::serialize(v8_val);
 
-  if (early_message_queue_state_ != SEND_DIRECTLY) {
+  if (js_message_queue_state_ != SEND_DIRECTLY) {
     // We can't just PostTask here; the messages would arrive out of
     // order. Instead, we queue them up until we're ready to post
     // them.
-    early_message_queue_.push_back(serialized_val);
+    js_message_queue_.push_back(serialized_val);
   } else {
     // The proxy sent an asynchronous message, so the plugin is already
     // unblocked. Therefore, there's no need to PostTask.
-    DCHECK(early_message_queue_.empty());
+    DCHECK(js_message_queue_.empty());
     PostMessageToJavaScriptImpl(serialized_val);
   }
 }
 
 void MessageChannel::Start() {
-  // We PostTask here instead of draining the message queue directly
+  DCHECK_EQ(WAITING_TO_START, js_message_queue_state_);
+  DCHECK_EQ(WAITING_TO_START, plugin_message_queue_state_);
+
+  ppapi::proxy::HostDispatcher* dispatcher =
+      ppapi::proxy::HostDispatcher::GetForInstance(instance_->pp_instance());
+  // The dispatcher is NULL for in-process.
+  if (dispatcher)
+    dispatcher->AddSyncMessageStatusObserver(this);
+
+  // We can't drain the JS message queue directly

[raymes, 2014/09/23 02:57:09]

nit: fill the 80 chars

[raymes, 2014/09/24 00:05:47]

I think you missed this comment, but I'm ok to land it and fix this after with a
TBR

   // since we haven't finished initializing the PepperWebPluginImpl yet, so
   // the plugin isn't available in the DOM.
-  base::MessageLoop::current()->PostTask(
-      FROM_HERE,
-      base::Bind(&MessageChannel::DrainEarlyMessageQueue,
-                 weak_ptr_factory_.GetWeakPtr()));
+  DrainJSMessageQueueSoon();
+
+  plugin_message_queue_state_ = SEND_DIRECTLY;
+  DrainCompletedPluginMessages();
 }
 
 void MessageChannel::SetPassthroughObject(v8::Handle<v8::Object> passthrough) {
   passthrough_object_.Reset(instance_->GetIsolate(), passthrough);
 }
 
 void MessageChannel::SetReadOnlyProperty(PP_Var key, PP_Var value) {
   StringVar* key_string = StringVar::FromPPVar(key);
   if (key_string) {
     internal_named_properties_[key_string->value()] = ScopedPPVar(value);
   } else {
     NOTREACHED();
   }
 }
 
 MessageChannel::MessageChannel(PepperPluginInstanceImpl* instance)
     : gin::NamedPropertyInterceptor(instance->GetIsolate(), this),
       instance_(instance),
-      early_message_queue_state_(QUEUE_MESSAGES),
+      js_message_queue_state_(WAITING_TO_START),
+      blocking_message_depth_(0),
+      plugin_message_queue_state_(WAITING_TO_START),
       weak_ptr_factory_(this) {
 }
 
 gin::ObjectTemplateBuilder MessageChannel::GetObjectTemplateBuilder(
     v8::Isolate* isolate) {
   return Wrappable<MessageChannel>::GetObjectTemplateBuilder(isolate)
       .AddNamedPropertyInterceptor();
 }
 
+void MessageChannel::BeginBlockOnSyncMessage() {
+  js_message_queue_state_ = QUEUE_MESSAGES;
+  ++blocking_message_depth_;
+}
+
+void MessageChannel::EndBlockOnSyncMessage() {
+  --blocking_message_depth_;

[raymes, 2014/09/23 02:57:09]

is it worth adding a DCHECK here that we don't go into negative?

[raymes, 2014/09/24 00:05:48]

This too, but it's not crucial

+  if (!blocking_message_depth_)
+    DrainJSMessageQueueSoon();
+}
+
 v8::Local<v8::Value> MessageChannel::GetNamedProperty(
     v8::Isolate* isolate,
     const std::string& identifier) {
   if (!instance_)
     return v8::Local<v8::Value>();
 
   PepperTryCatchV8 try_catch(instance_, V8VarConverter::kDisallowObjectVars,
                              isolate);
   if (identifier == kPostMessage) {
     return gin::CreateFunctionTemplate(isolate,
@@ skipping 80 matching lines @@
     try_catch.ThrowException(
         "postMessageAndAwaitResponse requires one argument");
     return;
   }
 
   v8::Handle<v8::Value> message_data;
   if (!args->GetNext(&message_data)) {
     NOTREACHED();
   }
 
-  if (early_message_queue_state_ == QUEUE_MESSAGES) {
+  if (plugin_message_queue_state_ == WAITING_TO_START) {
     try_catch.ThrowException(
         "Attempted to call a synchronous method on a plugin that was not "
         "yet loaded.");
     return;
   }
 
   // If the queue of messages to the plugin is non-empty, we're still waiting on
   // pending Var conversions. This means at some point in the past, JavaScript
   // called postMessage (the async one) and passed us something with a browser-
   // side host (e.g., FileSystem) and we haven't gotten a response from the
@@ skipping 92 matching lines @@
                                          const ScopedPPVar& result,
                                          bool success) {
   if (!instance_)
     return;
   result_holder->ConversionCompleted(result, success);
   DrainCompletedPluginMessages();
 }
 
 void MessageChannel::DrainCompletedPluginMessages() {
   DCHECK(instance_);
-  if (early_message_queue_state_ == QUEUE_MESSAGES)
+  if (plugin_message_queue_state_ == WAITING_TO_START)
     return;
 
   while (!plugin_message_queue_.empty() &&
          plugin_message_queue_.front().conversion_completed()) {
     const VarConversionResult& front = plugin_message_queue_.front();
     if (front.success()) {
       instance_->HandleMessage(front.var());
     } else {
       PpapiGlobals::Get()->LogWithSource(instance()->pp_instance(),
                                          PP_LOGLEVEL_ERROR,
                                          std::string(),
                                          kV8ToVarConversionError);
     }
     plugin_message_queue_.pop_front();
   }
 }
 
-void MessageChannel::DrainEarlyMessageQueue() {
+void MessageChannel::DrainJSMessageQueue() {
   if (!instance_)
     return;
-  DCHECK(early_message_queue_state_ == QUEUE_MESSAGES);
+  if (js_message_queue_state_ == SEND_DIRECTLY)
+    return;
 
   // Take a reference on the PluginInstance. This is because JavaScript code
   // may delete the plugin, which would destroy the PluginInstance and its
   // corresponding MessageChannel.
   scoped_refptr<PepperPluginInstanceImpl> instance_ref(instance_);
-  while (!early_message_queue_.empty()) {
-    PostMessageToJavaScriptImpl(early_message_queue_.front());
-    early_message_queue_.pop_front();
+  while (!js_message_queue_.empty()) {
+    PostMessageToJavaScriptImpl(js_message_queue_.front());
+    js_message_queue_.pop_front();
   }
-  early_message_queue_state_ = SEND_DIRECTLY;
+  js_message_queue_state_ = SEND_DIRECTLY;
+}
 
-  DrainCompletedPluginMessages();
+void MessageChannel::DrainJSMessageQueueSoon() {
+  base::MessageLoop::current()->PostTask(
+      FROM_HERE,
+      base::Bind(&MessageChannel::DrainJSMessageQueue,
+                 weak_ptr_factory_.GetWeakPtr()));
 }
 
 }  // namespace content