-
Min Qin authored
Here is how the crash can happen: 1. DragObjectImpl::GetData() calls DragDownloadFile::Start() to start a download. 2. GetData() then calls DragDownloadFile::Wait(). 3. DragDownloadFile::Wait() runs the nested_loop_. 4. DragDownloadFile::DownloadCompleted() gets called, which calls DataObjectImpl::OnDownloadCompleted(). Inside that method, it creates a new StoredDataInfo objects and deletes the downloader pointer, which is the DragDownloadFile instance. 5. DragDownloadFile dtor is invoked, it will destroy the nested_loop_ member variable. However, because RunLoop::Run() is called earlier and Wait() is still pending, deleting nested_loop_ will hit the DCHECK(!running_) in RunLoop dtor and fail. The issue happens mainly due to step 4, as DragDownloadFile::DownloadCompleted() could delete itself. This CL fixes the issue by not deleting the StoredDataInfo object in step 4, instead, the DragDownloadFile instance is deleted after the newly constructed StoredDataInfo object in 4 is destroyed. BUG=968303 Change-Id: I57dbe275f76fd8e566185538a8f13def476ff9f5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1904950Reviewed-by:
Sadrul Chowdhury <sadrul@chromium.org> Commit-Queue: Min Qin <qinmin@chromium.org> Cr-Commit-Position: refs/heads/master@{#715470}
713f129a
