Skip to content

GitLab

T
tangled
Commit 2ce98a25 authored by skyostil's avatar skyostil Committed by Commit bot
Browse files
Options

devtools: Fix crash when WebContents is deleted by a message handler 

If a DevTools message handler deletes the WebContents which originated
the message, we previously tried to access a member of an already-freed
FrameHostHolder.

TEST=headless_browsertests --gtest_filter=HeadlessBrowserContextIsolationTest.RunAsyncTest

Review-Url: https://codereview.chromium.org/2597453002
Cr-Commit-Position: refs/heads/master@{#439879}
parent baed7149
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 2 deletions
content/browser/devtools/render_frame_devtools_agent_host.cc
View file @ 2ce98a25
...@@ -242,13 +242,15 @@ void RenderFrameDevToolsAgentHost::FrameHostHolder::SendMessageToClient( ...@@ -242,13 +242,15 @@ void RenderFrameDevToolsAgentHost::FrameHostHolder::SendMessageToClient(
int session_id, int session_id,
const std::string& message) { const std::string& message) {
int id = chunk_processor_.last_call_id(); int id = chunk_processor_.last_call_id();
PendingMessage sent_message = sent_messages_[id];
sent_messages_.erase(id);
if (suspended_) { if (suspended_) {
sent_messages_whose_reply_came_while_suspended_[id] = sent_messages_[id]; sent_messages_whose_reply_came_while_suspended_[id] = sent_message;
pending_messages_.push_back(std::make_pair(session_id, message)); pending_messages_.push_back(std::make_pair(session_id, message));
} else { } else {
agent_->SendMessageToClient(session_id, message); agent_->SendMessageToClient(session_id, message);
// |this| may be deleted at this point.
} }
sent_messages_.erase(id);
} }
void RenderFrameDevToolsAgentHost::FrameHostHolder::Suspend() { void RenderFrameDevToolsAgentHost::FrameHostHolder::Suspend() {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment