[Android Java Bridge] Recycle old V8 wrapper objects on navigations

When browser navigates to another page, make sure we de-associate NPObjects of injected Java objects from their old V8 wrappers. Not doing this leads to potential leaks of JS objects from one context to another. BUG=372914 R=jochen@chromium.org Review URL: https://codereview.chromium.org/286823002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271002 0039d316-1c4b-4281-b951-d872f2087c98

[Android Java Bridge] Recycle old V8 wrapper objects on navigations
When browser navigates to another page, make sure we de-associate NPObjects of injected Java objects from their old V8 wrappers. Not doing this leads to potential leaks of JS objects from one context to another. BUG=372914 R=jochen@chromium.org Review URL: https://codereview.chromium.org/286823002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271002 0039d316-1c4b-4281-b951-d872f2087c98
9f016858 · mnaganov@chromium.org · 3f6cd0b4 · 9f016858 · 9f016858
Commit 9f016858 authored May 16, 2014 by mnaganov@chromium.org
2 changed files
--- a/content/public/android/javatests/src/org/chromium/content/browser/JavaBridgeBasicsTest.java
+++ b/content/public/android/javatests/src/org/chromium/content/browser/JavaBridgeBasicsTest.java
@@ -333,12 +333,13 @@ public class JavaBridgeBasicsTest extends JavaBridgeTestBase {
    @SmallTest
    @Feature({"AndroidWebView", "Android-JavaBridge"})
-    public void testClientPropertiesPersistAcrossPageLoads() throws Throwable {
+    public void testCustomPropertiesCleanedUpOnPageReloads() throws Throwable {
        assertEquals("object", executeJavaScriptAndGetStringResult("typeof testController"));
        executeJavaScript("testController.myProperty = 42;");
        assertEquals("42", executeJavaScriptAndGetStringResult("testController.myProperty"));
        synchronousPageReload();
-        assertEquals("42", executeJavaScriptAndGetStringResult("testController.myProperty"));
+        assertEquals("object", executeJavaScriptAndGetStringResult("typeof testController"));
+        assertEquals("undefined", executeJavaScriptAndGetStringResult("testController.myProperty"));
    }
    @SmallTest

--- a/content/renderer/java/java_bridge_dispatcher.cc
+++ b/content/renderer/java/java_bridge_dispatcher.cc
@@ -57,11 +57,15 @@ void JavaBridgeDispatcher::DidClearWindowObject() {
  for (ObjectMap::const_iterator iter = objects_.begin();
       iter != objects_.end();
       ++iter) {
+    NPObject* object = NPVARIANT_TO_OBJECT(iter->second);
+    // De-associate from the existing V8 wrapper, so we don't pull any
+    // of the wrapper's custom properties into the context of the page we
+    // have navigated to.
+    blink::WebBindings::dropV8WrapperForObject(object);
    // This refs the NPObject. This reference is dropped when either the window
    // object is later cleared, or the object is GC'ed. So the object may be
    // deleted at any time after OnRemoveNamedObject() is called.
-    render_frame()->GetWebFrame()->bindToWindowObject(
+    render_frame()->GetWebFrame()->bindToWindowObject(iter->first, object);
-        iter->first, NPVARIANT_TO_OBJECT(iter->second));
  }
 }