-
danakj authored
RenderWidget used to start closing and then post a task to self-delete. But now it deletes synchronously inside Close(). So when closing_ becomes true, the RenderWidget will be deleted in the same stack. Thus we do not need to guard against closing_ since blink will not be using the RenderWidget afterward - it would be a UAF. The LayerTreeViewDelegate methods used to check for a null WebWidget which would be the case once closing_ became true, before RenderWidget was destroyed. Now the RenderWidget disconnects itself from the LayerTreeView and deletes immediately, so these methods are never called with a null WebWidget unless they were used while the RenderWidget is undead. But the compositor does not run while the RenderWidget is undead, and the LayerTreeViewDelegate will not be used unless the compositor posted the task and then runs it after the RenderWidget becomes undead. The methods in this CL are all part of the BeginMainFrame step which only runs when the compositor is visible and the RenderWidget is not undead. R=avi@chromium.org Bug: 419087 Change-Id: If0158f2ffeaf0c5d334a80aed3cdb9e686002fb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1854878Reviewed-by:
Avi Drissman <avi@chromium.org> Commit-Queue: danakj <danakj@chromium.org> Cr-Commit-Position: refs/heads/master@{#705178}
30cd72d1
