diff options
author | Derek Sollenberger <djsollen@google.com> | 2011-01-25 13:02:16 -0500 |
---|---|---|
committer | Derek Sollenberger <djsollen@google.com> | 2011-01-25 13:30:41 -0500 |
commit | 7e336d32d9c3465ff9792faa8ccc8613b7849e4c (patch) | |
tree | 03ae5257fa7174f10377f4fbb733dc74f3d35a4f /WebKit/android/plugins | |
parent | 5cd48bb81a0acf1f841e9fd78cae14de7112e070 (diff) | |
download | external_webkit-7e336d32d9c3465ff9792faa8ccc8613b7849e4c.zip external_webkit-7e336d32d9c3465ff9792faa8ccc8613b7849e4c.tar.gz external_webkit-7e336d32d9c3465ff9792faa8ccc8613b7849e4c.tar.bz2 |
Prevent timer from deleting itself twice.
If a plugin attempts to delete itself as a result of a timer
firing, it currently crashes the browser. This CL defers the
deletion of the timer until after the timer's fire method completes.
bug: 3382772
Change-Id: I1b5f995f91c7a06767b2a3f68880d3e197a83124
Diffstat (limited to 'WebKit/android/plugins')
-rw-r--r-- | WebKit/android/plugins/PluginTimer.cpp | 16 | ||||
-rw-r--r-- | WebKit/android/plugins/PluginTimer.h | 3 |
2 files changed, 14 insertions, 5 deletions
diff --git a/WebKit/android/plugins/PluginTimer.cpp b/WebKit/android/plugins/PluginTimer.cpp index ae7cb84..23cac77 100644 --- a/WebKit/android/plugins/PluginTimer.cpp +++ b/WebKit/android/plugins/PluginTimer.cpp @@ -26,6 +26,7 @@ #include "config.h" #include "PluginTimer.h" +#include "RefPtr.h" namespace WebCore { @@ -63,11 +64,14 @@ namespace WebCore { void PluginTimer::fired() { + // ensure the timer cannot be deleted until this method completes + RefPtr<PluginTimer> protector(this); + if (!m_unscheduled) m_timerFunc(m_instance, m_timerID); if (!m_repeat || m_unscheduled) - delete this; + deref(); // mark the timer for deletion as it is no longer needed } // may return null if timerID is not found @@ -84,11 +88,15 @@ namespace WebCore { } /////////////////////////////////////////////////////////////////////////// - + PluginTimerList::~PluginTimerList() { - while (m_list) { - delete m_list; + PluginTimer* curr = m_list; + PluginTimer* next; + while (curr) { + next = curr->next(); + curr->deref(); + curr = next; } } diff --git a/WebKit/android/plugins/PluginTimer.h b/WebKit/android/plugins/PluginTimer.h index dcb29bf..20c0816 100644 --- a/WebKit/android/plugins/PluginTimer.h +++ b/WebKit/android/plugins/PluginTimer.h @@ -27,6 +27,7 @@ #ifndef PluginTimer_H #define PluginTimer_H +#include "RefCounted.h" #include "Timer.h" #include "npapi.h" @@ -34,7 +35,7 @@ namespace WebCore { class PluginTimerList; - class PluginTimer : public TimerBase { + class PluginTimer : public TimerBase, public RefCounted<PluginTimer> { public: PluginTimer(PluginTimer** list, NPP instance, bool repeat, void (*proc)(NPP npp, uint32_t timerID)); |