Backport "Recycle old V8 wrapper objects on navigations"
Bug: 14582835
Original CL description:
[Android Java Bridge] Recycle old V8 wrapper objects on navigations
When browser navigates to another page, make sure we de-associate
NPObjects of injected Java objects from their old V8 wrappers.
Not doing this leads to potential leaks of JS objects from one
context to another.
BUG=372914
R=jochen@chromium.org
Review URL: https://codereview.chromium.org/286823002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271002 0039d316-1c4b-4281-b951-d872f2087c98
Change-Id: I05aea77700238c54db47160e2e93faf331d040f6
diff --git a/content/renderer/java/java_bridge_dispatcher.cc b/content/renderer/java/java_bridge_dispatcher.cc
index f7e435c..de525b4 100644
--- a/content/renderer/java/java_bridge_dispatcher.cc
+++ b/content/renderer/java/java_bridge_dispatcher.cc
@@ -56,11 +56,15 @@
// when the window object was cleared.
for (ObjectMap::const_iterator iter = objects_.begin();
iter != objects_.end(); ++iter) {
+ NPObject* object = NPVARIANT_TO_OBJECT(iter->second);
+ // De-associate from the existing V8 wrapper, so we don't pull any
+ // of the wrapper's custom properties into the context of the page we
+ // have navigated to.
+ blink::WebBindings::dropV8WrapperForObject(object);
// This refs the NPObject. This reference is dropped when either the window
// object is later cleared, or the object is GC'ed. So the object may be
// deleted at any time after OnRemoveNamedObject() is called.
- web_frame->bindToWindowObject(iter->first,
- NPVARIANT_TO_OBJECT(iter->second));
+ web_frame->bindToWindowObject(iter->first, object);
}
}
