Fix resource destruction in proxy

This ensures that the resource on the plugin side is destroyed before we send the message to the host, so that it has a chance to do proper cleanup. Also, fix Surface3D destruction that could cause a write-after-free. BUG=none TEST=go to youtube with out-of-process pepper flash. click on fullscreen. observe no hang, no crash Review URL: http://codereview.chromium.org/6771042 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@80188 0039d316-1c4b-4281-b951-d872f2087c98
cbchan · Apr 1, 2011 · 12dbac9 · 12dbac9
1 parent f2d3ce0
commit 12dbac9
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 23 deletions.
diff --git a/ppapi/proxy/plugin_resource_tracker.cc b/ppapi/proxy/plugin_resource_tracker.cc
@@ -120,24 +120,25 @@ void PluginResourceTracker::ReleasePluginResourceRef(
     return;
   found->second.ref_count--;
   if (found->second.ref_count == 0) {
-    PluginResource* plugin_resource = found->second.resource.get();
-    if (notify_browser_on_release)
-      SendReleaseResourceToHost(resource, plugin_resource);
-    host_resource_map_.erase(plugin_resource->host_resource());
+    // Keep a reference while removing in case the destructor ends up
+    // re-entering. That way, when the destructor is called, it's out of the
+    // maps.
+    linked_ptr<PluginResource> plugin_resource = found->second.resource;
+    PluginDispatcher* dispatcher =
+        PluginDispatcher::GetForInstance(plugin_resource->instance());
+    HostResource host_resource = plugin_resource->host_resource();
+    host_resource_map_.erase(host_resource);
     resource_map_.erase(found);
-  }
-}
-
-void PluginResourceTracker::SendReleaseResourceToHost(
-    PP_Resource resource_id,
-    PluginResource* resource) {
-  PluginDispatcher* dispatcher =
-      PluginDispatcher::GetForInstance(resource->instance());
-  if (dispatcher) {
-    dispatcher->Send(new PpapiHostMsg_PPBCore_ReleaseResource(
-        INTERFACE_ID_PPB_CORE, resource->host_resource()));
-  } else {
-    NOTREACHED();
+    plugin_resource.reset();
+
+    if (notify_browser_on_release) {
+      if (dispatcher) {
+        dispatcher->Send(new PpapiHostMsg_PPBCore_ReleaseResource(
+            INTERFACE_ID_PPB_CORE, host_resource));
+      } else {
+        NOTREACHED();
+      }
+    }
   }
 }
 

diff --git a/ppapi/proxy/plugin_resource_tracker.h b/ppapi/proxy/plugin_resource_tracker.h
@@ -75,11 +75,6 @@ class PluginResourceTracker {
   void ReleasePluginResourceRef(const PP_Resource& var,
                                 bool notify_browser_on_release);
 
-  // Sends a ReleaseResource message to the host corresponding to the given
-  // resource.
-  void SendReleaseResourceToHost(PP_Resource resource_id,
-                                 PluginResource* resource);
-
   // Map of plugin resource IDs to the information tracking that resource.
   typedef std::map<PP_Resource, ResourceInfo> ResourceMap;
   ResourceMap resource_map_;

diff --git a/ppapi/proxy/ppb_surface_3d_proxy.cc b/ppapi/proxy/ppb_surface_3d_proxy.cc
@@ -16,6 +16,11 @@
 namespace pp {
 namespace proxy {
 
+Surface3D::~Surface3D() {
+  if (context_)
+    context_->BindSurfaces(NULL, NULL);
+}
+
 namespace {
 
 PP_Resource Create(PP_Instance instance,

diff --git a/ppapi/proxy/ppb_surface_3d_proxy.h b/ppapi/proxy/ppb_surface_3d_proxy.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -30,6 +30,7 @@ class Surface3D : public PluginResource {
         context_(NULL),
         current_flush_callback_(PP_BlockUntilComplete()) {
   }
+  virtual ~Surface3D();
 
   // Resource overrides.
   virtual Surface3D* AsSurface3D() { return this; }