• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef PPAPI_PROXY_PLUGIN_VAR_TRACKER_H_
6 #define PPAPI_PROXY_PLUGIN_VAR_TRACKER_H_
7 
8 #include <map>
9 #include <string>
10 
11 #include "base/basictypes.h"
12 #include "base/compiler_specific.h"
13 #include "base/memory/ref_counted.h"
14 #include "base/memory/shared_memory.h"
15 #include "ppapi/c/pp_stdint.h"
16 #include "ppapi/c/pp_var.h"
17 #include "ppapi/proxy/ppapi_proxy_export.h"
18 #include "ppapi/shared_impl/var_tracker.h"
19 
20 template<typename T> struct DefaultSingletonTraits;
21 struct PPP_Class_Deprecated;
22 
23 namespace ppapi {
24 
25 class ProxyObjectVar;
26 
27 namespace proxy {
28 
29 class PluginDispatcher;
30 
31 // Tracks live strings and objects in the plugin process.
32 class PPAPI_PROXY_EXPORT PluginVarTracker : public VarTracker {
33  public:
34   PluginVarTracker();
35   ~PluginVarTracker();
36 
37   // Manages tracking for receiving a VARTYPE_OBJECT from the remote side
38   // (either the plugin or the renderer) that has already had its reference
39   // count incremented on behalf of the caller.
40   PP_Var ReceiveObjectPassRef(const PP_Var& var, PluginDispatcher* dispatcher);
41 
42   // See the comment in var_tracker.h for more about what a tracked object is.
43   // This adds and releases the "track_with_no_reference_count" for a given
44   // object.
45   PP_Var TrackObjectWithNoReference(const PP_Var& host_var,
46                                     PluginDispatcher* dispatcher);
47   void StopTrackingObjectWithNoReference(const PP_Var& plugin_var);
48 
49   // Returns the host var for the corresponding plugin object var. The object
50   // should be a VARTYPE_OBJECT. The reference count is not affeceted.
51   PP_Var GetHostObject(const PP_Var& plugin_object) const;
52 
53   PluginDispatcher* DispatcherForPluginObject(
54       const PP_Var& plugin_object) const;
55 
56   // Like Release() but the var is identified by its host object ID (as
57   // returned by GetHostObject).
58   void ReleaseHostObject(PluginDispatcher* dispatcher,
59                          const PP_Var& host_object);
60 
61   // VarTracker public overrides.
62   virtual PP_Var MakeResourcePPVarFromMessage(
63       PP_Instance instance,
64       const IPC::Message& creation_message,
65       int pending_renderer_id,
66       int pending_browser_id) OVERRIDE;
67   virtual ResourceVar* MakeResourceVar(PP_Resource pp_resource) OVERRIDE;
68   virtual void DidDeleteInstance(PP_Instance instance) OVERRIDE;
69   virtual int TrackSharedMemoryHandle(PP_Instance instance,
70                                       base::SharedMemoryHandle file,
71                                       uint32 size_in_bytes) OVERRIDE;
72   virtual bool StopTrackingSharedMemoryHandle(int id,
73                                               PP_Instance instance,
74                                               base::SharedMemoryHandle* handle,
75                                               uint32* size_in_bytes) OVERRIDE;
76 
77   // Notification that a plugin-implemented object (PPP_Class) was created by
78   // the plugin or deallocated by WebKit over IPC.
79   void PluginImplementedObjectCreated(PP_Instance instance,
80                                       const PP_Var& created_var,
81                                       const PPP_Class_Deprecated* ppp_class,
82                                       void* ppp_class_data);
83   void PluginImplementedObjectDestroyed(void* ppp_class_data);
84 
85   // Returns true if there is an object implemented by the plugin with the
86   // given user_data that has not been deallocated yet. Call this when
87   // receiving a scripting call to the plugin to validate that the object
88   // receiving the call is still alive (see user_data_to_plugin_ below).
89   bool IsPluginImplementedObjectAlive(void* user_data);
90 
91   // Validates that the given class/user_data pair corresponds to a currently
92   // living plugin object.
93   bool ValidatePluginObjectCall(const PPP_Class_Deprecated* ppp_class,
94                                 void* user_data);
95 
96   void DidDeleteDispatcher(PluginDispatcher* dispatcher);
97 
98  private:
99   // VarTracker protected overrides.
100   virtual int32 AddVarInternal(Var* var, AddVarRefMode mode) OVERRIDE;
101   virtual void TrackedObjectGettingOneRef(VarMap::const_iterator iter) OVERRIDE;
102   virtual void ObjectGettingZeroRef(VarMap::iterator iter) OVERRIDE;
103   virtual bool DeleteObjectInfoIfNecessary(VarMap::iterator iter) OVERRIDE;
104   virtual ArrayBufferVar* CreateArrayBuffer(uint32 size_in_bytes) OVERRIDE;
105   virtual ArrayBufferVar* CreateShmArrayBuffer(
106       uint32 size_in_bytes,
107       base::SharedMemoryHandle handle) OVERRIDE;
108 
109  private:
110   friend struct DefaultSingletonTraits<PluginVarTracker>;
111   friend class PluginProxyTestHarness;
112 
113   // Represents a var as received from the host.
114   struct HostVar {
115     HostVar(PluginDispatcher* d, int32 i);
116 
117     bool operator<(const HostVar& other) const;
118 
119     // The dispatcher that sent us this object. This is used so we know how to
120     // send back requests on this object.
121     PluginDispatcher* dispatcher;
122 
123     // The object ID that the host generated to identify the object. This is
124     // unique only within that host: different hosts could give us different
125     // objects with the same ID.
126     int32 host_object_id;
127   };
128 
129   struct PluginImplementedVar {
130     const PPP_Class_Deprecated* ppp_class;
131 
132     // The instance that created this Var. This will be 0 if the instance has
133     // been destroyed but the object is still alive.
134     PP_Instance instance;
135 
136     // Represents the plugin var ID for the var corresponding to this object.
137     // If the plugin does not have a ref to the object but it's still alive
138     // (the DOM could be holding a ref keeping it alive) this will be 0.
139     //
140     // There is an obscure corner case. If the plugin returns an object to the
141     // renderer and releases all of its refs, the object will still be alive
142     // but there will be no plugin refs. It's possible for the plugin to get
143     // this same object again through the DOM, and we'll lose the correlation
144     // between plugin implemented object and car. This means we won't know when
145     // the plugin releases its last refs and may call Deallocate when the
146     // plugin is still holding a ref.
147     //
148     // However, for the plugin to be depending on holding a ref to an object
149     // that it implements that it previously released but got again through
150     // indirect means would be extremely rare, and we only allow var scripting
151     // in limited cases anyway.
152     int32 plugin_object_id;
153   };
154 
155   // Returns the existing var ID for the given object var, creating and
156   // assigning an ID to it if necessary. This does not affect the reference
157   // count, so in the creation case the refcount will be 0. It's assumed in
158   // this case the caller will either adjust the refcount or the
159   // track_with_no_reference_count.
160   PP_Var GetOrCreateObjectVarID(ProxyObjectVar* object);
161 
162   // Sends an addref or release message to the browser for the given object ID.
163   void SendAddRefObjectMsg(const ProxyObjectVar& proxy_object);
164   void SendReleaseObjectMsg(const ProxyObjectVar& proxy_object);
165 
166   // Looks up the given host var. If we already know about it, returns a
167   // reference to the already-tracked object. If it doesn't creates a new one
168   // and returns it. If it's created, it's not added to the map.
169   scoped_refptr<ProxyObjectVar> FindOrMakePluginVarFromHostVar(
170       const PP_Var& var,
171       PluginDispatcher* dispatcher);
172 
173   // Maps host vars in the host to IDs in the plugin process.
174   typedef std::map<HostVar, int32> HostVarToPluginVarMap;
175   HostVarToPluginVarMap host_var_to_plugin_var_;
176 
177   // Maps "user data" for plugin implemented objects (PPP_Class) that are
178   // alive to various tracking info.
179   //
180   // This is tricky because there may not actually be any vars in the plugin
181   // associated with a plugin-implemented object, so they won't all have
182   // entries in our HostVarToPluginVarMap or the base class VarTracker's map.
183   //
184   // All objects that the plugin has created using CreateObject that have not
185   // yet been Deallocate()-ed by WebKit will be in this map. When the instance
186   // that created the object goes away, we know to call Deallocate on all
187   // remaining objects for that instance so that the data backing the object
188   // that the plugin owns is not leaked. We may not receive normal Deallocate
189   // calls from WebKit because the object could be leaked (attached to the DOM
190   // and outliving the plugin instance) or WebKit could send the deallocate
191   // after the out-of-process routing for that instance was torn down.
192   //
193   // There is an additional complexity. In WebKit, objects created by the
194   // plugin aren't actually bound to the plugin instance (for example, you
195   // could attach it to the DOM or send it to another plugin instance). It's
196   // possible that we could force deallocate an object when an instance id
197   // destroyed, but then another instance could get to that object somehow
198   // (like by reading it out of the DOM). We will then have deallocated the
199   // object and can't complete the call. We do not care about this case, and
200   // the calls will just fail.
201   typedef std::map<void*, PluginImplementedVar>
202       UserDataToPluginImplementedVarMap;
203   UserDataToPluginImplementedVarMap user_data_to_plugin_;
204 
205   DISALLOW_COPY_AND_ASSIGN(PluginVarTracker);
206 };
207 
208 }  // namespace proxy
209 }  // namespace ppapi
210 
211 #endif  // PPAPI_PROXY_PLUGIN_VAR_TRACKER_H_
212