-
danakj authored
The TestRunnerBindings::TooltipText() method was changed to use the main frame instead of the bound frame, to avoid a crash, but that would give an incorrect result in an iframe and crash in an OOP iframe. We move it back to using the bound frame, but acknowledge new understanding given to us by the blessed clusterfuzz bots. In the test it binds an iframe's window, and thus its window.testRunner, objects to a variable in the parent frame, and then detaches the child. This means the TestRunnerBindings is kept alive, but the RenderFrame its attached to goes away. To handle this case, we introduce a RenderFrameObserver for the TestRunnerBindings. When the RenderFrame is destroyed, the TestRunnerBindings sets |invalid_|, invalidates its weak pointers, and stops doing anything ever again. It should not use any of its state from that point forward as it is a detached zombie of an object. With this change, the WeakPtr to TestRunner is now understood, but not needed as it is redundant with |invalid_|, so we remove that. R=avi@chromium.org Bug: 1084717, 866140, 1069111 Change-Id: I6038fd83162d099f220dab632e051fb08ccd8af7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2210670 Commit-Queue: danakj <danakj@chromium.org> Reviewed-by:
Avi Drissman <avi@chromium.org> Cr-Commit-Position: refs/heads/master@{#771133}
b205720e
