Pepper: Fix renderer crash on plugin destruction.

The FileDownloader refactor caused callbacks to be more tightly bound to PnaclCoordinator than they were previously. Before the refactor, callbacks that were invoked as the pexe was downloaded (or the cached translated nexe was received) were generated through the CompletionCallbackFactory interface, which would cause them to be cancelled when PnaclCoordinator was destroyed. This change checks that the plugin instance is still alive before calling any of the callbacks in the PPP_PexeStreamHandler interface. I tried conducting some local testing, but didn't manage to hit quite the same codepath as the one reported in the bug. BUG=400171 Review URL: https://codereview.chromium.org/433633003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@287472 0039d316-1c4b-4281-b951-d872f2087c98

Pepper: Fix renderer crash on plugin destruction.
The FileDownloader refactor caused callbacks to be more tightly bound to PnaclCoordinator than they were previously. Before the refactor, callbacks that were invoked as the pexe was downloaded (or the cached translated nexe was received) were generated through the CompletionCallbackFactory interface, which would cause them to be cancelled when PnaclCoordinator was destroyed. This change checks that the plugin instance is still alive before calling any of the callbacks in the PPP_PexeStreamHandler interface. I tried conducting some local testing, but didn't manage to hit quite the same codepath as the one reported in the bug. BUG=400171 Review URL: https://codereview.chromium.org/433633003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@287472 0039d316-1c4b-4281-b951-d872f2087c98
f693a594 · teravest@chromium.org · 89eaeab3 · f693a594
Commit f693a594 authored Aug 05, 2014 by teravest@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 5 deletions

components/nacl/renderer/ppb_nacl_private_impl.cc components/nacl/renderer/ppb_nacl_private_impl.cc +16 -5

No files found.
--- a/components/nacl/renderer/ppb_nacl_private_impl.cc
+++ b/components/nacl/renderer/ppb_nacl_private_impl.cc
@@ -1535,6 +1535,8 @@ void SetPNaClStartTime(PP_Instance instance) {
    load_manager->set_pnacl_start_time(base::Time::Now());
 }
+// PexeDownloader is responsible for deleting itself when the download
+// finishes.
 class PexeDownloader : public blink::WebURLLoaderClient {
 public:
  PexeDownloader(PP_Instance instance,
@@ -1602,6 +1604,11 @@ class PexeDownloader : public blink::WebURLLoaderClient {
  virtual void didGetNexeFd(int32_t pp_error,
                            bool cache_hit,
                            PP_FileHandle file_handle) {
+    if (!content::PepperPluginInstance::Get(instance_)) {
+      delete this;
+      return;
+    }
    HistogramEnumerate("NaCl.Perf.PNaClCache.IsHit", cache_hit, 2);
    if (cache_hit) {
      stream_handler_->DidCacheHit(stream_handler_user_data_, file_handle);
@@ -1623,17 +1630,21 @@ class PexeDownloader : public blink::WebURLLoaderClient {
                              const char* data,
                              int data_length,
                              int encoded_data_length) {
-    // Stream the data we received to the stream callback.
+    if (content::PepperPluginInstance::Get(instance_)) {
-    stream_handler_->DidStreamData(stream_handler_user_data_,
+      // Stream the data we received to the stream callback.
-                                   data,
+      stream_handler_->DidStreamData(stream_handler_user_data_,
-                                   data_length);
+                                     data,
+                                     data_length);
+    }
  }
  virtual void didFinishLoading(blink::WebURLLoader* loader,
                                double finish_time,
                                int64_t total_encoded_data_length) {
    int32_t result = success_ ? PP_OK : PP_ERROR_FAILED;
-    stream_handler_->DidFinishStream(stream_handler_user_data_, result);
+    if (content::PepperPluginInstance::Get(instance_))
+      stream_handler_->DidFinishStream(stream_handler_user_data_, result);
    delete this;
  }