Changeset 54783 in webkit

Timestamp:

Feb 15, 2010, 11:16:21 AM (15 years ago)

Author:

ap@apple.com

Message:

Reviewed by Kevin Decker.

<rdar://problem/7130641> Browser objects identity is not preserved by Safari

Test: plugins/netscape-browser-object-identity.html

• bridge/runtime_root.h: (JSC::Bindings::RootObject::addInvalidationCallback): RootObject can now call out during invalidation, making it possible for other code to know when this happens.

• bridge/runtime_root.cpp: (JSC::Bindings::RootObject::InvalidationCallback::~InvalidationCallback): Empty destructor, in cpp file since it's virtual. (JSC::Bindings::RootObject::invalidate): Invoke invalidation callbacks.

• bridge/NP_jsobject.cpp: (ObjectMap): Keep a JSObject->NPObject map for each RootObject. It somewhat cleaner to keep it outside RootObject, because (1) it is agnostic of what kinds of objects can wrap JSObject, and (2) out of process NPAPI implementation also keeps its corresponding map separately, due to supporting per-instance granularity (as opposed to per-RootObject here). (jsDeallocate): Remove the corresponding map entry. (_NPN_CreateScriptObject): Try to fetch existing object from the map, incrementing refcount.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/plugins/netscape-browser-object-identity-expected.txt (added)
• LayoutTests/plugins/netscape-browser-object-identity.html (added)
• LayoutTests/plugins/script-tests/netscape-browser-object-identity.js (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bridge/NP_jsobject.cpp (modified) (3 diffs)
• WebCore/bridge/runtime_root.cpp (modified) (2 diffs)
• WebCore/bridge/runtime_root.h (modified) (2 diffs)
• WebKit/mac/ChangeLog (modified) (1 diff)
• WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm (modified) (1 diff)
• WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.h (modified) (4 diffs)
• WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm (modified) (24 diffs)
• WebKit/mac/Plugins/Hosted/ProxyInstance.mm (modified) (2 diffs)
• WebKit/mac/Plugins/Hosted/WebKitPluginClient.defs (modified) (1 diff)
• WebKitTools/ChangeLog (modified) (1 diff)
• WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-02-12  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Kevin Decker.
+
+        <rdar://problem/7130641> Browser objects identity is not preserved by Safari
+
+        * plugins/netscape-browser-object-identity-expected.txt: Added.
+        * plugins/netscape-browser-object-identity.html: Added.
+        * plugins/script-tests/netscape-browser-object-identity.js: Added.
+
 2010-02-15  Pavel Feldman  <pfeldman@chromium.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-02-12  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Kevin Decker.
+
+        <rdar://problem/7130641> Browser objects identity is not preserved by Safari
+
+        Test: plugins/netscape-browser-object-identity.html
+
+        * bridge/runtime_root.h: (JSC::Bindings::RootObject::addInvalidationCallback):
+        RootObject can now call out during invalidation, making it possible for other code to know
+        when this happens.
+
+        * bridge/runtime_root.cpp:
+        (JSC::Bindings::RootObject::InvalidationCallback::~InvalidationCallback): Empty destructor,
+        in cpp file since it's virtual.
+        (JSC::Bindings::RootObject::invalidate): Invoke invalidation callbacks.
+
+        * bridge/NP_jsobject.cpp:
+        (ObjectMap): Keep a JSObject->NPObject map for each RootObject. It somewhat cleaner to
+        keep it outside RootObject, because (1) it is agnostic of what kinds of objects can wrap
+        JSObject, and (2) out of process NPAPI implementation also keeps its corresponding map
+        separately, due to supporting per-instance granularity (as opposed to per-RootObject here).
+        (jsDeallocate): Remove the corresponding map entry.
+        (_NPN_CreateScriptObject): Try to fetch existing object from the map, incrementing refcount.
+
 2010-02-15  Philippe Normand  <pnormand@igalia.com>
 

trunk/WebCore/bridge/NP_jsobject.cpp

@@ -52 +52 @@
 using namespace WebCore;
 
+class ObjectMap {
+public:
+    NPObject* get(RootObject* rootObject, JSObject* jsObject)
+    {
+        return m_map.get(rootObject).get(jsObject);
+    }
+
+    void add(RootObject* rootObject, JSObject* jsObject, NPObject* npObject)
+    {
+        HashMap<RootObject*, JSToNPObjectMap>::iterator iter = m_map.find(rootObject);
+        if (iter == m_map.end()) {
+            rootObject->addInvalidationCallback(&m_invalidationCallback);
+            iter = m_map.add(rootObject, JSToNPObjectMap()).first;
+        }
+
+        ASSERT(iter->second.find(jsObject) == iter->second.end());
+        iter->second.add(jsObject, npObject);
+    }
+
+    void remove(RootObject* rootObject)
+    {
+        HashMap<RootObject*, JSToNPObjectMap>::iterator iter = m_map.find(rootObject);
+        ASSERT(iter != m_map.end());
+        m_map.remove(iter);
+    }
+
+    void remove(RootObject* rootObject, JSObject* jsObject)
+    {
+        HashMap<RootObject*, JSToNPObjectMap>::iterator iter = m_map.find(rootObject);
+        ASSERT(iter != m_map.end());
+        ASSERT(iter->second.find(jsObject) != iter->second.end());
+
+        iter->second.remove(jsObject);
+    }
+
+private:
+    struct RootObjectInvalidationCallback : public RootObject::InvalidationCallback {
+        virtual void operator()(RootObject*);
+    };
+    RootObjectInvalidationCallback m_invalidationCallback;
+
+    // JSObjects are protected by RootObject.
+    typedef HashMap<JSObject*, NPObject*> JSToNPObjectMap;
+    HashMap<RootObject*, JSToNPObjectMap> m_map;
+};
+
+
+static ObjectMap& objectMap()
+{
+    DEFINE_STATIC_LOCAL(ObjectMap, map, ());
+    return map;
+}
+
+void ObjectMap::RootObjectInvalidationCallback::operator()(RootObject* rootObject)
+{
+    objectMap().remove(rootObject);
+}
+
 static void getListFromVariantArgs(ExecState* exec, const NPVariant* args, unsigned argCount, RootObject* rootObject, MarkedArgumentBuffer& aList)
 {
@@ -67 +125 @@
     JavaScriptObject* obj = reinterpret_cast<JavaScriptObject*>(npObj);
 
-    if (obj->rootObject && obj->rootObject->isValid())
+    if (obj->rootObject && obj->rootObject->isValid()) {
+        objectMap().remove(obj->rootObject, obj->imp);
         obj->rootObject->gcUnprotect(obj->imp);
+    }
 
     if (obj->rootObject)
@@ -84 +144 @@
 NPObject* _NPN_CreateScriptObject(NPP npp, JSObject* imp, PassRefPtr<RootObject> rootObject)
 {
+    if (NPObject* object = objectMap().get(rootObject.get(), imp))
+        return _NPN_RetainObject(object);
+
     JavaScriptObject* obj = reinterpret_cast<JavaScriptObject*>(_NPN_CreateObject(npp, NPScriptObjectClass));
 
     obj->rootObject = rootObject.releaseRef();
 
-    if (obj->rootObject)
+    if (obj->rootObject) {
         obj->rootObject->gcProtect(imp);
+        objectMap().add(obj->rootObject, imp, reinterpret_cast<NPObject*>(obj));
+    }
+
     obj->imp = imp;
 

trunk/WebCore/bridge/runtime_root.cpp

@@ -72 +72 @@
 }
 
+RootObject::InvalidationCallback::~InvalidationCallback()
+{
+}
+
 PassRefPtr<RootObject> RootObject::create(const void* nativeHandle, JSGlobalObject* globalObject)
 {
@@ -109 +113 @@
     m_nativeHandle = 0;
     m_globalObject = 0;
+
+    {
+        HashSet<InvalidationCallback*>::iterator end = m_invalidationCallbacks.end();
+        for (HashSet<InvalidationCallback*>::iterator iter = m_invalidationCallbacks.begin(); iter != end; ++iter)
+            (**iter)(this);
+
+        m_invalidationCallbacks.clear();
+    }
 
     ProtectCountSet::iterator end = m_protectCountSet.end();

trunk/WebCore/bridge/runtime_root.h

@@ -73 +73 @@
     void addRuntimeObject(RuntimeObjectImp*);
     void removeRuntimeObject(RuntimeObjectImp*);
+
+    struct InvalidationCallback {
+        virtual void operator()(RootObject*) = 0;
+        virtual ~InvalidationCallback();
+    };
+    void addInvalidationCallback(InvalidationCallback* callback) { m_invalidationCallbacks.add(callback); }
+
 private:
     RootObject(const void* nativeHandle, JSGlobalObject*);
@@ -80 +87 @@
     const void* m_nativeHandle;
     ProtectedPtr<JSGlobalObject> m_globalObject;
+
     ProtectCountSet m_protectCountSet;
+    HashSet<RuntimeObjectImp*> m_runtimeObjects;    
 
-    HashSet<RuntimeObjectImp*> m_runtimeObjects;    
+    HashSet<InvalidationCallback*> m_invalidationCallbacks;
 };
 

trunk/WebKit/mac/ChangeLog

@@ +1 @@
+2010-02-12  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Kevin Decker.
+
+        <rdar://problem/7130641> Browser objects identity is not preserved by Safari
+
+        Out of process part.
+
+        To avoid excessive IPC, plugin process doesn't send each NPObject release/retain call to
+        Safari. It only sends one when the last one is removed, and it can destroy the proxy
+        NPObject.
+
+        However, the browser may be sending the same object out to plug-in as a function call
+        argument at the same time - neither side can know what the other one is up to. The solution
+        is to make the "destroying object" call return a boolean result, making it possible for 
+        the browser to make plugin host keep the proxy with zero refcount for a little longer.
+
+        * Plugins/Hosted/NetscapePluginHostProxy.mm:
+        (WKPCForgetBrowserObject): This function (that used to be named ReleaseObject) is only
+        called when plug-in releases all of its references, so renamed it. Its boolean result
+        is returned as call success or failure.
+
+        * Plugins/Hosted/NetscapePluginInstanceProxy.h:
+        (WebKit::NetscapePluginInstanceProxy::LocalObjectMap): Made the numeric ID to JSObject map
+        two-way.
+
+        * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
+        (WebKit::NetscapePluginInstanceProxy::LocalObjectMap::idForObject): This method is tricky
+        in that it creates objects with refcount of 1, but doesn't increase refcount when returning
+        found objects. This extra count accounts for the "reference" kept by plugin process.
+        (WebKit::NetscapePluginInstanceProxy::LocalObjectMap::retain): Only retaining for the
+        duration of calls out to plug-in, which means that refcount is almost always equal to 1.
+        Note that we can't use "++" here, due to how std::pair works!
+        (WebKit::NetscapePluginInstanceProxy::LocalObjectMap::release): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::LocalObjectMap::clear): Clear all references when
+        stopping plug-in.
+        (WebKit::NetscapePluginInstanceProxy::LocalObjectMap::forget): Like release(), but only
+        functional when recount is 1 (meaning that the object is not being sent out to plug-in at
+        the moment).
+        (WebKit::NetscapePluginInstanceProxy::NetscapePluginInstanceProxy): Updated for other changes.
+        (WebKit::NetscapePluginInstanceProxy::cleanup): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::getWindowNPObject): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::getPluginElementNPObject): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::forgetBrowserObjectID): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::evaluate): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::invoke): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::invokeDefault): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::construct): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::getProperty): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::setProperty): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::removeProperty): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::hasProperty): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::hasMethod): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::enumerate): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::addValueToArray): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::demarshalValueFromArray): Ditto.
+        (WebKit::NetscapePluginInstanceProxy::retainLocalObject): Helper for calling retain when
+        making calls out to plug-in. No-op for objects that aren't wrapped to be sent (i.e. for
+        objects wrapping ProxyInstance wrappers for plug-in objects being sent bak).
+        (WebKit::NetscapePluginInstanceProxy::releaseLocalObject): Ditto.
+
+        * Plugins/Hosted/ProxyInstance.mm:
+        (WebKit::ProxyInstance::invoke): Retain/release arguments during call. 
+        (WebKit::ProxyInstance::setFieldValue): Ditto.
+
+        * Plugins/Hosted/WebKitPluginClient.defs: Renamed PCReleaseObject to PCForgetBrowserObject.
+
 2010-02-12  Darin Adler  <darin@apple.com>
 

trunk/WebKit/mac/Plugins/Hosted/NetscapePluginHostProxy.mm

@@ -547 +547 @@
 }
 
-kern_return_t WKPCReleaseObject(mach_port_t clientPort, uint32_t pluginID, uint32_t objectID)
-{
-    NetscapePluginHostProxy* hostProxy = pluginProxyMap().get(clientPort);
-    if (!hostProxy)
-        return KERN_FAILURE;
-    
-    NetscapePluginInstanceProxy* instanceProxy = hostProxy->pluginInstance(pluginID);
-    if (!instanceProxy)
-        return KERN_FAILURE;
-
-    instanceProxy->releaseObject(objectID);
-    return KERN_SUCCESS;
+kern_return_t WKPCForgetBrowserObject(mach_port_t clientPort, uint32_t pluginID, uint32_t objectID)
+{
+    NetscapePluginHostProxy* hostProxy = pluginProxyMap().get(clientPort);
+    if (!hostProxy)
+        return KERN_FAILURE;
+    
+    NetscapePluginInstanceProxy* instanceProxy = hostProxy->pluginInstance(pluginID);
+    if (!instanceProxy)
+        return KERN_FAILURE;
+
+    return instanceProxy->forgetBrowserObjectID(objectID) ? KERN_SUCCESS : KERN_FAILURE;
 }
 

trunk/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.h

@@ -112 +112 @@
     bool getWindowNPObject(uint32_t& objectID);
     bool getPluginElementNPObject(uint32_t& objectID);
-    void releaseObject(uint32_t objectID);
-    
+    bool forgetBrowserObjectID(uint32_t objectID); // Will fail if the ID is being sent to plug-in right now (i.e., retain/release calls aren't balanced).
+
     bool evaluate(uint32_t objectID, const WebCore::String& script, data_t& resultData, mach_msg_type_number_t& resultLength, bool allowPopups);
     bool invoke(uint32_t objectID, const JSC::Identifier& methodName, data_t argumentsData, mach_msg_type_number_t argumentsLength, data_t& resultData, mach_msg_type_number_t& resultLength);
@@ -144 +144 @@
     PassRefPtr<JSC::Bindings::Instance> createBindingsInstance(PassRefPtr<JSC::Bindings::RootObject>);
     RetainPtr<NSData *> marshalValues(JSC::ExecState*, const JSC::ArgList& args);
-    void marshalValue(JSC::ExecState*, JSC::JSValue value, data_t& resultData, mach_msg_type_number_t& resultLength);
+    void marshalValue(JSC::ExecState*, JSC::JSValue, data_t& resultData, mach_msg_type_number_t& resultLength);
     JSC::JSValue demarshalValue(JSC::ExecState*, const char* valueData, mach_msg_type_number_t valueLength);
+
+    // No-op if the value does not contain a local object.
+    void retainLocalObject(JSC::JSValue);
+    void releaseLocalObject(JSC::JSValue);
 
     void addInstance(ProxyInstance*);
@@ -301 +305 @@
     
     // NPRuntime
-    uint32_t idForObject(JSC::JSObject*);
-    
+
     void addValueToArray(NSMutableArray *, JSC::ExecState* exec, JSC::JSValue value);
     
@@ -308 +311 @@
     void demarshalValues(JSC::ExecState*, data_t valuesData, mach_msg_type_number_t valuesLength, JSC::MarkedArgumentBuffer& result);
 
-    uint32_t m_objectIDCounter;
-    typedef HashMap<uint32_t, JSC::ProtectedPtr<JSC::JSObject> > ObjectMap;
-    ObjectMap m_objects;
-    
+    class LocalObjectMap {
+    public:
+        LocalObjectMap();
+        uint32_t idForObject(JSC::JSObject*);
+        void retain(JSC::JSObject*);
+        void release(JSC::JSObject*);
+        void clear();
+        bool forget(uint32_t);
+        bool contains(uint32_t objectID) const { return m_idToJSObjectMap.contains(objectID); }
+        JSC::JSObject* get(uint32_t objectID) const { return m_idToJSObjectMap.get(objectID); }
+
+    private:
+        HashMap<uint32_t, JSC::ProtectedPtr<JSC::JSObject> > m_idToJSObjectMap;
+        // The pair consists of object ID and a reference count. One reference belongs to remote plug-in,
+        // and the proxy will add transient references for arguments that are being sent out.
+        HashMap<JSC::JSObject*, pair<uint32_t, uint32_t> > m_jsObjectToIDMap;
+        uint32_t m_objectIDCounter;
+    };
+
+    LocalObjectMap m_localObjects;
+
     typedef HashSet<ProxyInstance*> ProxyInstanceSet;
     ProxyInstanceSet m_instances;

trunk/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm

@@ -101 +101 @@
 };
 
+NetscapePluginInstanceProxy::LocalObjectMap::LocalObjectMap()
+    : m_objectIDCounter(0)
+{
+}
+
+uint32_t NetscapePluginInstanceProxy::LocalObjectMap::idForObject(JSObject* object)
+{
+    // This method creates objects with refcount of 1, but doesn't increase refcount when returning
+    // found objects. This extra count accounts for the main "reference" kept by plugin process.
+
+    // To avoid excessive IPC, plugin process doesn't send each NPObject release/retain call to
+    // Safari. It only sends one when the last reference is removed, and it can destroy the proxy
+    // NPObject.
+
+    // However, the browser may be sending the same object out to plug-in as a function call
+    // argument at the same time - neither side can know what the other one is doing. So,
+    // is to make PCForgetBrowserObject call return a boolean result, making it possible for 
+    // the browser to make plugin host keep the proxy with zero refcount for a little longer.
+
+    uint32_t objectID = 0;
+    
+    HashMap<JSC::JSObject*, pair<uint32_t, uint32_t> >::iterator iter = m_jsObjectToIDMap.find(object);
+    if (iter != m_jsObjectToIDMap.end())
+        return iter->second.first;
+    
+    do {
+        objectID = ++m_objectIDCounter;
+    } while (!m_objectIDCounter || m_objectIDCounter == static_cast<uint32_t>(-1) || m_idToJSObjectMap.contains(objectID));
+
+    m_idToJSObjectMap.set(objectID, object);
+    m_jsObjectToIDMap.set(object, make_pair<uint32_t, uint32_t>(objectID, 1));
+
+    return objectID;
+}
+
+void NetscapePluginInstanceProxy::LocalObjectMap::retain(JSC::JSObject* object)
+{
+    HashMap<JSC::JSObject*, pair<uint32_t, uint32_t> >::iterator iter = m_jsObjectToIDMap.find(object);
+    ASSERT(iter != m_jsObjectToIDMap.end());
+
+    iter->second.second = iter->second.second + 1;
+}
+
+void NetscapePluginInstanceProxy::LocalObjectMap::release(JSC::JSObject* object)
+{
+    HashMap<JSC::JSObject*, pair<uint32_t, uint32_t> >::iterator iter = m_jsObjectToIDMap.find(object);
+    ASSERT(iter != m_jsObjectToIDMap.end());
+
+    ASSERT(iter->second.second > 0);
+    iter->second.second = iter->second.second - 1;
+    if (!iter->second.second) {
+        m_idToJSObjectMap.remove(iter->second.first);
+        m_jsObjectToIDMap.remove(iter);
+    }
+}
+
+void NetscapePluginInstanceProxy::LocalObjectMap::clear()
+{
+    m_idToJSObjectMap.clear();
+    m_jsObjectToIDMap.clear();
+}
+
+bool NetscapePluginInstanceProxy::LocalObjectMap::forget(uint32_t objectID)
+{
+    HashMap<uint32_t, JSC::ProtectedPtr<JSC::JSObject> >::iterator iter = m_idToJSObjectMap.find(objectID);
+    ASSERT(iter != m_idToJSObjectMap.end());
+
+    HashMap<JSC::JSObject*, pair<uint32_t, uint32_t> >::iterator rIter = m_jsObjectToIDMap.find(iter->second.get());
+
+    // If the object is being sent to plug-in right now, then it's not the time to forget.
+    if (rIter->second.second != 1)
+        return false;
+
+    m_jsObjectToIDMap.remove(rIter);
+    m_idToJSObjectMap.remove(iter);
+    return true;
+}
+
 static uint32_t pluginIDCounter;
 
@@ -115 +193 @@
     , m_useSoftwareRenderer(false)
     , m_waitingForReply(false)
-    , m_objectIDCounter(0)
     , m_urlCheckCounter(0)
     , m_pluginFunctionCallDepth(0)
@@ -186 +263 @@
     // Clear the object map, this will cause any outstanding JS objects that the plug-in had a reference to 
     // to go away when the next garbage collection takes place.
-    m_objects.clear();
+    m_localObjects.clear();
     
     if (Frame* frame = core([m_pluginView webFrame]))
@@ -684 +761 @@
 }
     
-uint32_t NetscapePluginInstanceProxy::idForObject(JSObject* object)
-{
-    uint32_t objectID = 0;
-    
-    // Assign an object ID.
-    do {
-        objectID = ++m_objectIDCounter;
-    } while (!m_objectIDCounter || m_objectIDCounter == static_cast<uint32_t>(-1) || m_objects.contains(objectID));
-    
-    m_objects.set(objectID, object);
-    
-    return objectID;
-}
-
 // NPRuntime support
 bool NetscapePluginInstanceProxy::getWindowNPObject(uint32_t& objectID)
@@ -708 +771 @@
         objectID = 0;
     else
-        objectID = idForObject(frame->script()->windowShell(pluginWorld())->window());
+        objectID = m_localObjects.idForObject(frame->script()->windowShell(pluginWorld())->window());
         
     return true;
@@ -720 +783 @@
     
     if (JSObject* object = frame->script()->jsObjectForPluginElement([m_pluginView element]))
-        objectID = idForObject(object);
+        objectID = m_localObjects.idForObject(object);
     else
         objectID = 0;
@@ -727 +790 @@
 }
 
-void NetscapePluginInstanceProxy::releaseObject(uint32_t objectID)
-{
-    m_objects.remove(objectID);
+bool NetscapePluginInstanceProxy::forgetBrowserObjectID(uint32_t objectID)
+{
+    return m_localObjects.forget(objectID);
 }
  
@@ -737 +800 @@
     resultLength = 0;
 
-    if (!m_objects.contains(objectID))
+    if (!m_localObjects.contains(objectID))
         return false;
 
@@ -779 +842 @@
         return false;
     
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -813 +876 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -846 +909 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -880 +943 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -899 +962 @@
 bool NetscapePluginInstanceProxy::getProperty(uint32_t objectID, unsigned propertyName, data_t& resultData, mach_msg_type_number_t& resultLength)
 {
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -921 +984 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -945 +1008 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -968 +1031 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -993 +1056 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -1018 +1081 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -1038 +1101 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -1058 +1121 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -1078 +1141 @@
         return false;
 
-    JSObject* object = m_objects.get(objectID);
+    JSObject* object = m_localObjects.get(objectID);
     if (!object)
         return false;
@@ -1137 +1200 @@
         } else {
             [array addObject:[NSNumber numberWithInt:JSObjectValueType]];
-            [array addObject:[NSNumber numberWithInt:idForObject(object)]];
+            [array addObject:[NSNumber numberWithInt:m_localObjects.idForObject(object)]];
         }
     } else
@@ -1199 +1262 @@
             uint32_t objectID = [[array objectAtIndex:index++] intValue];
             
-            result = m_objects.get(objectID);
+            result = m_localObjects.get(objectID);
             ASSERT(result);
             return true;
@@ -1254 +1317 @@
     while (demarshalValueFromArray(exec, array.get(), position, value))
         result.append(value);
+}
+
+void NetscapePluginInstanceProxy::retainLocalObject(JSC::JSValue value)
+{
+    if (!value.isObject())
+        return;
+
+    JSObject* object = asObject(value);
+    if (object->classInfo() == &RuntimeObjectImp::s_info)
+        return;
+
+    m_localObjects.retain(object);
+}
+
+void NetscapePluginInstanceProxy::releaseLocalObject(JSC::JSValue value)
+{
+    if (!value.isObject())
+        return;
+
+    JSObject* object = asObject(value);
+    if (object->classInfo() == &RuntimeObjectImp::s_info)
+        return;
+
+    m_localObjects.release(object);
 }
 

trunk/WebKit/mac/Plugins/Hosted/ProxyInstance.mm

@@ -138 +138 @@
     if (!m_instanceProxy)
         return jsUndefined();
-    
+
     RetainPtr<NSData*> arguments(m_instanceProxy->marshalValues(exec, args));
 
     uint32_t requestID = m_instanceProxy->nextRequestID();
 
+    for (unsigned i = 0; i < args.size(); i++)
+        m_instanceProxy->retainLocalObject(args.at(i));
+
     if (_WKPHNPObjectInvoke(m_instanceProxy->hostProxy()->port(), m_instanceProxy->pluginID(), requestID, m_objectID,
-                            type, identifier, (char*)[arguments.get() bytes], [arguments.get() length]) != KERN_SUCCESS)
-        return jsUndefined();
+                            type, identifier, (char*)[arguments.get() bytes], [arguments.get() length]) != KERN_SUCCESS) {
+        for (unsigned i = 0; i < args.size(); i++)
+            m_instanceProxy->releaseLocalObject(args.at(i));
+        return jsUndefined();
+    }
     
     auto_ptr<NetscapePluginInstanceProxy::BooleanAndDataReply> reply = waitForReply<NetscapePluginInstanceProxy::BooleanAndDataReply>(requestID);
     NetscapePluginInstanceProxy::moveGlobalExceptionToExecState(exec);
+
+    for (unsigned i = 0; i < args.size(); i++)
+        m_instanceProxy->releaseLocalObject(args.at(i));
+
     if (!reply.get() || !reply->m_returnValue)
         return jsUndefined();
@@ -382 +392 @@
 
     m_instanceProxy->marshalValue(exec, value, valueData, valueLength);
+    m_instanceProxy->retainLocalObject(value);
     kern_return_t kr = _WKPHNPObjectSetProperty(m_instanceProxy->hostProxy()->port(),
                                                 m_instanceProxy->pluginID(), requestID,
                                                 m_objectID, serverIdentifier, valueData, valueLength);
     mig_deallocate(reinterpret_cast<vm_address_t>(valueData), valueLength);
+    m_instanceProxy->releaseLocalObject(value);
     if (kr != KERN_SUCCESS)
         return;

trunk/WebKit/mac/Plugins/Hosted/WebKitPluginClient.defs

@@ -113 +113 @@
                                  out objectID :uint32_t);
                       
-routine PCReleaseObject(clientPort :mach_port_t;
+routine PCForgetBrowserObject(clientPort :mach_port_t;
                       pluginID :uint32_t;
                       objectID :uint32_t);

trunk/WebKitTools/ChangeLog

@@ +1 @@
+2010-02-12  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Kevin Decker.
+
+        <rdar://problem/7130641> Browser objects identity is not preserved by Safari
+
+        * DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp:
+        (pluginInvoke): Added methods for checking object identity (via refcount).
+
 2010-02-15  Robert Hogan  <robert@roberthogan.net>
 

trunk/WebKitTools/DumpRenderTree/TestNetscapePlugIn.subproj/PluginObject.cpp

@@ -177 +177 @@
     ID_TEST_GET_BROWSER_PROPERTY,
     ID_TEST_SET_BROWSER_PROPERTY,
+    ID_REMEMBER,
+    ID_GET_REMEMBERED_OBJECT,
+    ID_GET_AND_FORGET_REMEMBERED_OBJECT,
+    ID_REF_COUNT,
     NUM_METHOD_IDENTIFIERS
 };
@@ -206 +210 @@
     "reloadPluginsAndPages",
     "testGetBrowserProperty",
-    "testSetBrowserProperty"
+    "testSetBrowserProperty",
+    "remember",
+    "getRememberedObject",
+    "getAndForgetRememberedObject",
+    "refCount"
 };
 
@@ -747 +755 @@
     return false;
 }
+
+static NPObject* rememberedObject;
 
 static bool pluginInvoke(NPObject* header, NPIdentifier name, const NPVariant* args, uint32_t argCount, NPVariant* result)
@@ -808 +818 @@
         browser->setproperty(plugin->npp, NPVARIANT_TO_OBJECT(args[0]), stringVariantToIdentifier(args[1]), &args[2]);
         return true;
+    } else if (name == pluginMethodIdentifiers[ID_REMEMBER]) {
+        if (rememberedObject)
+            browser->releaseobject(rememberedObject);
+        rememberedObject = NPVARIANT_TO_OBJECT(args[0]);
+        browser->retainobject(rememberedObject);
+        VOID_TO_NPVARIANT(*result);
+        return true;
+    } else if (name == pluginMethodIdentifiers[ID_GET_REMEMBERED_OBJECT]) {
+        assert(rememberedObject);
+        browser->retainobject(rememberedObject);
+        OBJECT_TO_NPVARIANT(rememberedObject, *result);
+        return true;
+    } else if (name == pluginMethodIdentifiers[ID_GET_AND_FORGET_REMEMBERED_OBJECT]) {
+        assert(rememberedObject);
+        OBJECT_TO_NPVARIANT(rememberedObject, *result);
+        rememberedObject = 0;
+        return true;
+    } else if (name == pluginMethodIdentifiers[ID_REF_COUNT]) {
+        uint32_t refCount = NPVARIANT_TO_OBJECT(args[0])->referenceCount;
+        INT32_TO_NPVARIANT(refCount, *result);
+        return true;
     }