• arthursonzogni's avatar
    Check RenderWidgetHostObserver stop observing before deletion. · 9211311c
    arthursonzogni authored
    Apply CheckedObserverAdapter::IsMarkedForRemoval() advise:
    ```
    If |weak_ptr_| was invalidated then this attempt to iterate over the
    pointer is a UAF. Tip: If it's unclear where the `delete` occurred, try
    adding CHECK(!IsInObserverList()) to the ~CheckedObserver() (destructor)
    override. However, note that this is not always a bug: a destroyed
    observer can exist in an ObserverList so long as nothing iterates over
    the ObserverList before the list itself is destroyed.
    ```
    
    I have absolutely no clue what is causing bug 1153966. All the
    observation are wrapped inside base::Scoped{Observation, Observer}, so
    this shouldn't happen in theory. However there are proof it happens in
    practice:
    https://crash.corp.google.com/browse?q=ReportID%3D%27e5305cdcd95db0cb
    
    Bug:1153966
    
    Change-Id: I067ccdd4d0b34737ba54b31a6fb5b6b1a9d2e0c4
    Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2615346
    Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
    Reviewed-by: default avatarNasko Oskov <nasko@chromium.org>
    Auto-Submit: Arthur Sonzogni <arthursonzogni@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#841976}
    9211311c
render_widget_host_observer.cc 525 Bytes