From 72dc094b5140ab6a3cd9e4984d566b8c788f5e1f Mon Sep 17 00:00:00 2001 From: Grace Kloba Date: Thu, 1 Apr 2010 00:18:59 -0700 Subject: If "widget" is already existed in the HashMap when createScriptInstanceForWidget(widget) is called, we need to release the reference of the matching npObject to avoid leak. HTMLPlugInElement::getInstance() only calls createScriptInstanceForWidget(widget) once. But HTMLEmbedElement is using its closest ancestor who has objectTag to get the widget. So the same widget can exist in the HashMap if both and its child 's getInstance() are called. Fix http://b/issue?id=2553266 --- WebCore/bindings/v8/ScriptController.cpp | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'WebCore') diff --git a/WebCore/bindings/v8/ScriptController.cpp b/WebCore/bindings/v8/ScriptController.cpp index e2b886d..4e8ba5e 100644 --- a/WebCore/bindings/v8/ScriptController.cpp +++ b/WebCore/bindings/v8/ScriptController.cpp @@ -334,6 +334,19 @@ PassScriptInstance ScriptController::createScriptInstanceForWidget(Widget* widge v8::Local wrapper = createV8ObjectForNPObject(npObject, 0); +#ifdef ANDROID_FIX + // TODO: this should be up streamed. + // HTMLEmbedElement::getInstance() will call this function with its closest + // ancestor who has the objectTag. So this "widget" may be already in the + // HashMap. If it does, even m_pluginObjects.set() is a no-op, we do need to + // call _NPN_ReleaseObject on the npObject to balance the reference count. + PluginObjectMap::iterator it = m_pluginObjects.find(widget); + if (it != m_pluginObjects.end()) { + ASSERT(it->second == npObject); + _NPN_ReleaseObject(it->second); + } +#endif + // Track the plugin object. We've been given a reference to the object. m_pluginObjects.set(widget, npObject); -- cgit v1.1