If "widget" is already existed in the HashMap when

createScriptInstanceForWidget(widget) is called,
we need to release the reference of the matching
npObject to avoid leak.

HTMLPlugInElement::getInstance() only calls
createScriptInstanceForWidget(widget) once. But
HTMLEmbedElement is using its closest ancestor who
has objectTag to get the widget. So the same widget
can exist in the HashMap if both <object> and its
child <embed>'s getInstance() are called.

Fix http://b/issue?id=2553266

1 files changed, 13 insertions, 0 deletions

diff --git a/WebCore/bindings/v8/ScriptController.cpp b/WebCore/bindings/v8/ScriptController.cpp
index e2b886d..4e8ba5e 100644
--- a/WebCore/bindings/v8/ScriptController.cpp
+++ b/WebCore/bindings/v8/ScriptController.cpp
@@ -334,6 +334,19 @@ PassScriptInstance ScriptController::createScriptInstanceForWidget(Widget* widge
 
     v8::Local<v8::Object> wrapper = createV8ObjectForNPObject(npObject, 0);
 
+#ifdef ANDROID_FIX
+    // TODO: this should be up streamed.
+    // HTMLEmbedElement::getInstance() will call this function with its closest
+    // ancestor who has the objectTag. So this "widget" may be already in the
+    // HashMap. If it does, even m_pluginObjects.set() is a no-op, we do need to
+    // call _NPN_ReleaseObject on the npObject to balance the reference count.
+    PluginObjectMap::iterator it = m_pluginObjects.find(widget);
+    if (it != m_pluginObjects.end()) {
+        ASSERT(it->second == npObject);
+        _NPN_ReleaseObject(it->second);
+    }
+#endif
+
     // Track the plugin object. We've been given a reference to the object.
     m_pluginObjects.set(widget, npObject);