Guard against calling into a deleted RenderWidgetHost.

Occasionally a WebContentController is destructed before we have received RenderViewDeleted notifications for all observed RenderWidgetHosts. Therefore, it is not safe to call RemoveInputEventObserver on every RenderWidgetHost that we started observing; we need to remove only from currently live RenderWidgetHosts. Bug: b/148227677 Change-Id: Ic9a7a4f187eb154665fc2ad093dd9464f7520e27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2020246 Commit-Queue: Kevin Schoedel <kpschoedel@chromium.org> Reviewed-by: Albert Chaulk <achaulk@chromium.org> Reviewed-by: Daniel Nicoara <dnicoara@chromium.org> Cr-Commit-Position: refs/heads/master@{#737439}

Guard against calling into a deleted RenderWidgetHost.
Occasionally a WebContentController is destructed before we have received RenderViewDeleted notifications for all observed RenderWidgetHosts. Therefore, it is not safe to call RemoveInputEventObserver on every RenderWidgetHost that we started observing; we need to remove only from currently live RenderWidgetHosts. Bug: b/148227677 Change-Id: Ic9a7a4f187eb154665fc2ad093dd9464f7520e27 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2020246 Commit-Queue: Kevin Schoedel <kpschoedel@chromium.org> Reviewed-by: Albert Chaulk <achaulk@chromium.org> Reviewed-by: Daniel Nicoara <dnicoara@chromium.org> Cr-Commit-Position: refs/heads/master@{#737439}
72531a08 · Kevin Schoedel · Commit Bot · f9a421fc · 72531a08
Commit 72531a08 authored Jan 31, 2020 by Kevin Schoedel Committed by Commit Bot Jan 31, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 2 deletions

chromecast/browser/webview/web_content_controller.cc chromecast/browser/webview/web_content_controller.cc +19 -2

No files found.
--- a/chromecast/browser/webview/web_content_controller.cc
+++ b/chromecast/browser/webview/web_content_controller.cc
@@ -17,6 +17,7 @@
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/render_widget_host.h"
+#include "content/public/browser/render_widget_host_iterator.h"
 #include "content/public/browser/render_widget_host_view.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/web_preferences.h"
@@ -38,8 +39,24 @@ WebContentController::~WebContentController() {
    surface_->RemoveSurfaceObserver(this);
    surface_->SetEmbeddedSurfaceId(base::RepeatingCallback<viz::SurfaceId()>());
  }
-  for (auto* rwh : current_render_widget_set_) {
+  if (!current_render_widget_set_.empty()) {
-    rwh->RemoveInputEventObserver(this);
+    // A WebContentController can be destructed without us we have recieved
+    // RenderViewDeleted notifications for all observed RenderWidgetHosts,
+    // so we go through the current_render_widget_set_ to remove the input
+    // event observers. It has sometimes been the case (perhaps only on a
+    // renderer process crash -- TODO(kpschoedel) investiage this) that an
+    // observed RenderWidgetHost has disappeared without notification.
+    // Therefore, it is not safe to call RemoveInputEventObserver on every
+    // RenderWidgetHost that we started observing; we need to remove only
+    // from currently live RenderWidgetHosts.
+    std::unique_ptr<content::RenderWidgetHostIterator> widgets(
+      content::RenderWidgetHost::GetRenderWidgetHosts());
+    while (content::RenderWidgetHost* widget = widgets->GetNextHost()) {
+      auto it = current_render_widget_set_.find(widget);
+      if (it != current_render_widget_set_.end()) {
+        widget->RemoveInputEventObserver(this);
+      }
+    }
  }
 }