Speculative fix for WebWidgetLockTarget crash.

Previously, the class was keeping a raw pointer to a WebWidget object. While we would eventually like the lifetime of RenderWidget and WebWidget to be synchronized, they are not yet. This CL updates the pointer to be to a RenderWidget object, guaranteed to outlive the WebWidgetLockTarget. Bug: 999243 Change-Id: I9a2a546823b658a24d25fc9ae7a2d4e7e61ad5ea Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1776981 Commit-Queue: Erik Chen <erikchen@chromium.org> Auto-Submit: Erik Chen <erikchen@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#691883}

Speculative fix for WebWidgetLockTarget crash.
Previously, the class was keeping a raw pointer to a WebWidget object. While we would eventually like the lifetime of RenderWidget and WebWidget to be synchronized, they are not yet. This CL updates the pointer to be to a RenderWidget object, guaranteed to outlive the WebWidgetLockTarget. Bug: 999243 Change-Id: I9a2a546823b658a24d25fc9ae7a2d4e7e61ad5ea Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1776981 Commit-Queue: Erik Chen <erikchen@chromium.org> Auto-Submit: Erik Chen <erikchen@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/master@{#691883}
7b98582d · Erik Chen · Commit Bot · a061b935 · 7b98582d
Commit 7b98582d authored Aug 30, 2019 by Erik Chen Committed by Commit Bot Aug 30, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 8 deletions

content/renderer/render_widget.cc content/renderer/render_widget.cc +20 -8

No files found.
--- a/content/renderer/render_widget.cc
+++ b/content/renderer/render_widget.cc
@@ -191,17 +191,29 @@ bool IsSmallScreen(const gfx::Size& size) {

 class WebWidgetLockTarget : public content::MouseLockDispatcher::LockTarget {
 public:
-  explicit WebWidgetLockTarget(blink::WebWidget* webwidget)
-      : webwidget_(webwidget) {}
+  explicit WebWidgetLockTarget(RenderWidget* render_widget)
+      : render_widget_(render_widget) {}

  void OnLockMouseACK(bool succeeded) override {
+    // TODO(https://crbug.com/995981): Once RenderWidget and WebWidget lifetimes
+    // are synchronized, we should remove these conditionals.
+    WebWidget* web_widget = render_widget_->GetWebWidget();
+    if (!web_widget)
+      return;
+
    if (succeeded)
-      webwidget_->DidAcquirePointerLock();
+      web_widget->DidAcquirePointerLock();
    else
-      webwidget_->DidNotAcquirePointerLock();
+      web_widget->DidNotAcquirePointerLock();
  }

-  void OnMouseLockLost() override { webwidget_->DidLosePointerLock(); }
+  void OnMouseLockLost() override {
+    WebWidget* web_widget = render_widget_->GetWebWidget();
+    if (!web_widget)
+      return;
+
+    web_widget->DidLosePointerLock();
+  }

  bool HandleMouseLockedInputEvent(const blink::WebMouseEvent& event) override {
    // The WebWidget handles mouse lock in Blink's handleInputEvent().
@@ -209,7 +221,8 @@ class WebWidgetLockTarget : public content::MouseLockDispatcher::LockTarget {
  }

 private:
-  blink::WebWidget* webwidget_;
+  // The RenderWidget owns this instance and is guaranteed to outlive it.
+  RenderWidget* render_widget_;
 };

 class ScopedUkmRafAlignedInputTimer {
@@ -559,8 +572,7 @@ void RenderWidget::Init(ShowCallback show_callback, WebWidget* web_widget) {
  show_callback_ = std::move(show_callback);

  webwidget_internal_ = web_widget;
-  webwidget_mouse_lock_target_.reset(
-      new WebWidgetLockTarget(webwidget_internal_));
+  webwidget_mouse_lock_target_.reset(new WebWidgetLockTarget(this));
  mouse_lock_dispatcher_.reset(new RenderWidgetMouseLockDispatcher(this));

  RenderThread::Get()->AddRoute(routing_id_, this);