Skip to content

GitLab

T
tangled
Commit 63b8975f authored by nasko's avatar nasko Committed by Commit bot
Browse files
Options

MainFrameObserver is inline owned, so it shouldn't be freed by OnDestruct 

MainFrameObserver is a RenderFrameObserver and as such is destroyed when
RenderFrame goes away. This happens as part of
RenderFrameObserver::OnDestruct. MainFrameObserver though is inline owned
by WebUIMojo and can be deleted before WebUIMojo is deleted. It results in
use-after-free when WebUIMojo is destructed and tries to free the already
freed MainFrameObserver.

This CL overrides OnDestruct, which allows the MainFrameObserver to stay
alive and be cleaned up by WebUIMojo.

BUG=357747

Review URL: https://codereview.chromium.org/1137533002

Cr-Commit-Position: refs/heads/master@{#328990}
parent baa4ce23
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 0 deletions
content/renderer/web_ui_mojo.cc
View file @ 63b8975f
...@@ -45,6 +45,9 @@ void WebUIMojo::MainFrameObserver::DidFinishDocumentLoad() { ...@@ -45,6 +45,9 @@ void WebUIMojo::MainFrameObserver::DidFinishDocumentLoad() {
web_ui_mojo_->OnDidFinishDocumentLoad(); web_ui_mojo_->OnDidFinishDocumentLoad();
} }
void WebUIMojo::MainFrameObserver::OnDestruct() {
}
WebUIMojo::WebUIMojo(RenderView* render_view) WebUIMojo::WebUIMojo(RenderView* render_view)
: RenderViewObserver(render_view), : RenderViewObserver(render_view),
RenderViewObserverTracker<WebUIMojo>(render_view), RenderViewObserverTracker<WebUIMojo>(render_view),
......
content/renderer/web_ui_mojo.h
View file @ 63b8975f
...@@ -40,6 +40,11 @@ class WebUIMojo ...@@ -40,6 +40,11 @@ class WebUIMojo
void WillReleaseScriptContext(v8::Local<v8::Context> context, void WillReleaseScriptContext(v8::Local<v8::Context> context,
int world_id) override; int world_id) override;
void DidFinishDocumentLoad() override; void DidFinishDocumentLoad() override;
// MainFrameObserver is inline owned by WebUIMojo and should not be
// destroyed when the main RenderFrame is deleted. Overriding the
// OnDestruct method allows this object to remain alive and be cleaned
// up as part of WebUIMojo deletion.
void OnDestruct() override;
private: private:
WebUIMojo* web_ui_mojo_; WebUIMojo* web_ui_mojo_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment