Google Git
Sign in
android / platform / external / chromium_org / third_party / WebKit / kitkat-mr2.1-release^! / .
commit3fb1c1e2db3001008a6d8ccbe2f9345ec50363d2[log] [tgz]
authorMikhail Naganov <mnaganov@google.com>Thu Jun 12 23:42:36 2014 +0100
committerBill Yi <byi@google.com>Tue Jun 17 14:19:54 2014 -0700
tree8f301501750cb7bc78bce6c43e7f69be53734d9a
parentb13a6de9d8430c219a8eb6d9b59abf7b486a94a8 [diff]
Fix Java Bridge wrapper properties cleanup for multi-frame pages

Java Bridge implementation was supposing to use a single JavaScript interface
object across different contexts (e.g. iframes).  But in fact, it is preferred
to have a JS interface wrapper per context, otherwise ads, for example, could
see the properties set on the wrapper by the main page.  The patch called
"Recycle old V8 wrapper objects on navigations" has already started fixing
this, but when cleaning up a wrapper for one frame it was invalidating a
backwards connection to NPObject from a wrapper living in another frame.

Bug: 15572824
Change-Id: Ia33845b45b50ff5bfcb88887c6a3f4f7c6c8703e

diff --git a/Source/bindings/v8/V8NPObject.cpp b/Source/bindings/v8/V8NPObject.cpp
index 2912723..6d378e2 100644
--- a/Source/bindings/v8/V8NPObject.cpp
+++ b/Source/bindings/v8/V8NPObject.cpp

@@ -475,4 +475,17 @@
     }
 }
 
+// This is the same as 'forgetV8ObjectForNPObject', except that it
+// doesn't clear a back reference to the NPObject from the wrapper.
+void dropV8WrapperForNPObject(NPObject* object)
+{
+    v8::Isolate* isolate = v8::Isolate::GetCurrent();
+    v8::HandleScope scope(isolate);
+    v8::Handle<v8::Object> wrapper = staticNPObjectMap().newLocal(object, isolate);
+    if (!wrapper.IsEmpty()) {
+        staticNPObjectMap().removeAndDispose(object);
+        _NPN_ReleaseObject(object);
+    }
+}
+
 } // namespace WebCore

diff --git a/Source/bindings/v8/V8NPObject.h b/Source/bindings/v8/V8NPObject.h
index 4465b03..c5bf9c5 100644
--- a/Source/bindings/v8/V8NPObject.h
+++ b/Source/bindings/v8/V8NPObject.h

@@ -62,6 +62,10 @@
 // cannot be referred to.
 void forgetV8ObjectForNPObject(NPObject*);
 
+// De-associate an NPObject with the current JS wrapper, but preserve the backward connection from the wrapper to NPObject.
+// This allows to have a single NPObject to be called from several wrappers, so each context can have its own wrapper.
+void dropV8WrapperForNPObject(NPObject*);
+
 } // namespace WebCore
 
 #endif // V8NPObject_h

diff --git a/Source/web/WebBindings.cpp b/Source/web/WebBindings.cpp
index 78ed340..1a29bc1 100644
--- a/Source/web/WebBindings.cpp
+++ b/Source/web/WebBindings.cpp

@@ -185,7 +185,7 @@
 
 void WebBindings::dropV8WrapperForObject(NPObject* object)
 {
-    WebCore::forgetV8ObjectForNPObject(object);
+    WebCore::dropV8WrapperForNPObject(object);
 }
 
 NPUTF8* WebBindings::utf8FromIdentifier(NPIdentifier identifier)