-
Jinsuk Kim authored
This CL takes care of the crash when preview tab is closed by 'close all incognito tabs' from Android notification UI. There are 2 problems: 1) |destroy| of BottomSheetContent that preview tab is built with needs to invoked only by BottomSheetController when the controller finds it not used any more. Removes the redundant (and unnecessary) destruction in the preview tab coordinator. 2) An incognito profile instance shared by multiple ProfileDestroyers was destroyed twice when it is triggered from RenderProcessHostObserver::RenderProcessHostDestroyed. This CL delays the actual destruction task all the way to the ProfileDestroyer dtor (which ensures the pending destroyer list is updated properly before the deletion), and uses DestroyOffTheRecordProfileNow to null out the pending object's pointer to the profile to be deleted, which helps avoid UAF. Bug: 1029677 Change-Id: I2710bb5ec2c35973da362c850434f71753175a22 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1971031 Commit-Queue: Jinsuk Kim <jinsukkim@chromium.org> Reviewed-by:
Sylvain Defresne <sdefresne@chromium.org> Reviewed-by:
Mihai Sardarescu <msarda@chromium.org> Reviewed-by:
Matthew Jones <mdjones@chromium.org> Cr-Commit-Position: refs/heads/master@{#726631}
e8d6fb69
