summaryrefslogtreecommitdiffstats
path: root/WebKit/android/plugins
diff options
context:
space:
mode:
authorDerek Sollenberger <djsollen@google.com>2011-01-25 13:02:16 -0500
committerDerek Sollenberger <djsollen@google.com>2011-01-25 13:30:41 -0500
commit7e336d32d9c3465ff9792faa8ccc8613b7849e4c (patch)
tree03ae5257fa7174f10377f4fbb733dc74f3d35a4f /WebKit/android/plugins
parent5cd48bb81a0acf1f841e9fd78cae14de7112e070 (diff)
downloadexternal_webkit-7e336d32d9c3465ff9792faa8ccc8613b7849e4c.zip
external_webkit-7e336d32d9c3465ff9792faa8ccc8613b7849e4c.tar.gz
external_webkit-7e336d32d9c3465ff9792faa8ccc8613b7849e4c.tar.bz2
Prevent timer from deleting itself twice.
If a plugin attempts to delete itself as a result of a timer firing, it currently crashes the browser. This CL defers the deletion of the timer until after the timer's fire method completes. bug: 3382772 Change-Id: I1b5f995f91c7a06767b2a3f68880d3e197a83124
Diffstat (limited to 'WebKit/android/plugins')
-rw-r--r--WebKit/android/plugins/PluginTimer.cpp16
-rw-r--r--WebKit/android/plugins/PluginTimer.h3
2 files changed, 14 insertions, 5 deletions
diff --git a/WebKit/android/plugins/PluginTimer.cpp b/WebKit/android/plugins/PluginTimer.cpp
index ae7cb84..23cac77 100644
--- a/WebKit/android/plugins/PluginTimer.cpp
+++ b/WebKit/android/plugins/PluginTimer.cpp
@@ -26,6 +26,7 @@
#include "config.h"
#include "PluginTimer.h"
+#include "RefPtr.h"
namespace WebCore {
@@ -63,11 +64,14 @@ namespace WebCore {
void PluginTimer::fired()
{
+ // ensure the timer cannot be deleted until this method completes
+ RefPtr<PluginTimer> protector(this);
+
if (!m_unscheduled)
m_timerFunc(m_instance, m_timerID);
if (!m_repeat || m_unscheduled)
- delete this;
+ deref(); // mark the timer for deletion as it is no longer needed
}
// may return null if timerID is not found
@@ -84,11 +88,15 @@ namespace WebCore {
}
///////////////////////////////////////////////////////////////////////////
-
+
PluginTimerList::~PluginTimerList()
{
- while (m_list) {
- delete m_list;
+ PluginTimer* curr = m_list;
+ PluginTimer* next;
+ while (curr) {
+ next = curr->next();
+ curr->deref();
+ curr = next;
}
}
diff --git a/WebKit/android/plugins/PluginTimer.h b/WebKit/android/plugins/PluginTimer.h
index dcb29bf..20c0816 100644
--- a/WebKit/android/plugins/PluginTimer.h
+++ b/WebKit/android/plugins/PluginTimer.h
@@ -27,6 +27,7 @@
#ifndef PluginTimer_H
#define PluginTimer_H
+#include "RefCounted.h"
#include "Timer.h"
#include "npapi.h"
@@ -34,7 +35,7 @@ namespace WebCore {
class PluginTimerList;
- class PluginTimer : public TimerBase {
+ class PluginTimer : public TimerBase, public RefCounted<PluginTimer> {
public:
PluginTimer(PluginTimer** list, NPP instance, bool repeat,
void (*proc)(NPP npp, uint32_t timerID));