Sets render_frame_proxy_ to null in the RenderFrameImpl when destroying the RenderFrameProxy.

This fixes with a use-after-free in the RenderFrameProxy reported by the asan bots, but uncovers another one. TEST=NavigateRemoteFrame BUG=357747 Review URL: https://codereview.chromium.org/929463004 Cr-Commit-Position: refs/heads/master@{#316337}

Sets render_frame_proxy_ to null in the RenderFrameImpl when destroying the RenderFrameProxy.
This fixes with a use-after-free in the RenderFrameProxy reported by the asan bots, but uncovers another one. TEST=NavigateRemoteFrame BUG=357747 Review URL: https://codereview.chromium.org/929463004 Cr-Commit-Position: refs/heads/master@{#316337}
912887b4 · lfg · Commit bot · 479ea5af · 912887b4
Commit 912887b4 authored Feb 13, 2015 by lfg Committed by Commit bot Feb 14, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

content/renderer/render_frame_proxy.cc content/renderer/render_frame_proxy.cc +9 -0

No files found.
--- a/content/renderer/render_frame_proxy.cc
+++ b/content/renderer/render_frame_proxy.cc
@@ -117,6 +117,15 @@ RenderFrameProxy::RenderFrameProxy(int routing_id, int frame_routing_id)
 }

 RenderFrameProxy::~RenderFrameProxy() {
+  // TODO(nasko): Set the render_frame_proxy to null to avoid a double deletion
+  // when detaching the main frame. This can be removed once RenderFrameImpl and
+  // RenderFrameProxy have been completely decoupled. See
+  // https://crbug.com/357747.
+  RenderFrameImpl* render_frame =
+      RenderFrameImpl::FromRoutingID(frame_routing_id_);
+  if (render_frame)
+    render_frame->set_render_frame_proxy(nullptr);
+
  render_view()->UnregisterRenderFrameProxy(this);

  FrameMap::iterator it = g_frame_map.Get().find(web_frame_);