[WebUI][NTP] Fixes crash in AutocompleteController::StopHelper

The crash in crbug/1086749 is likely due to the page method calls being handled after destruction of |autocomplete_controller_|. mojo::Receiver guarantees that page method calls will NEVER run beyond the lifetime of the receiver object. Moving the Receiver (as well as the Remote) member variable toward the end of the list of member variables should fix this crash as the receiver object gets destroyed first. Bug: 1086749 Change-Id: I42d1229416e5909c4f3b9bd187a4db2da88b7d2a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2217211 Commit-Queue: Moe Ahmadi <mahmadi@chromium.org> Reviewed-by: Tommy Li <tommycli@chromium.org> Cr-Commit-Position: refs/heads/master@{#772285}

[WebUI][NTP] Fixes crash in AutocompleteController::StopHelper
The crash in crbug/1086749 is likely due to the page method calls being handled after destruction of |autocomplete_controller_|. mojo::Receiver guarantees that page method calls will NEVER run beyond the lifetime of the receiver object. Moving the Receiver (as well as the Remote) member variable toward the end of the list of member variables should fix this crash as the receiver object gets destroyed first. Bug: 1086749 Change-Id: I42d1229416e5909c4f3b9bd187a4db2da88b7d2a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2217211 Commit-Queue: Moe Ahmadi <mahmadi@chromium.org> Reviewed-by: Tommy Li <tommycli@chromium.org> Cr-Commit-Position: refs/heads/master@{#772285}
94cbc0db · Moe Ahmadi · Commit Bot · c31836c2 · 94cbc0db · 94cbc0db
Commit 94cbc0db authored May 27, 2020 by Moe Ahmadi Committed by Commit Bot May 27, 2020
2 changed files
--- a/chrome/browser/ui/webui/new_tab_page/new_tab_page_handler.cc
+++ b/chrome/browser/ui/webui/new_tab_page/new_tab_page_handler.cc
@@ -253,9 +253,7 @@ NewTabPageHandler::NewTabPageHandler(
      logo_service_(LogoServiceFactory::GetForProfile(profile)),
      one_google_bar_service_(
          OneGoogleBarServiceFactory::GetForProfile(profile)),
-      page_{std::move(pending_page)},
      profile_(profile),
-      receiver_{this, std::move(pending_page_handler)},
      favicon_cache_(FaviconServiceFactory::GetForProfile(
                         profile,
                         ServiceAccessType::EXPLICIT_ACCESS),
@@ -264,7 +262,9 @@ NewTabPageHandler::NewTabPageHandler(
                         ServiceAccessType::EXPLICIT_ACCESS)),
      web_contents_(web_contents),
      ntp_navigation_start_time_(ntp_navigation_start_time),
-      logger_(NTPUserDataLogger::GetOrCreateFromWebContents(web_contents)) {
+      logger_(NTPUserDataLogger::GetOrCreateFromWebContents(web_contents)),
+      page_{std::move(pending_page)},
+      receiver_{this, std::move(pending_page_handler)} {
  CHECK(instant_service_);
  CHECK(ntp_background_service_);
  CHECK(logo_service_);

--- a/chrome/browser/ui/webui/new_tab_page/new_tab_page_handler.h
+++ b/chrome/browser/ui/webui/new_tab_page/new_tab_page_handler.h
@@ -206,9 +206,7 @@ class NewTabPageHandler : public new_tab_page::mojom::PageHandler,
  ScopedObserver<OneGoogleBarService, OneGoogleBarServiceObserver>
      one_google_bar_service_observer_{this};
  base::Optional<base::TimeTicks> one_google_bar_load_start_time_;
-  mojo::Remote<new_tab_page::mojom::Page> page_;
  Profile* profile_;
-  mojo::Receiver<new_tab_page::mojom::PageHandler> receiver_;
  scoped_refptr<ui::SelectFileDialog> select_file_dialog_;
  std::unique_ptr<AutocompleteController> autocomplete_controller_;
  FaviconCache favicon_cache_;
@@ -220,6 +218,11 @@ class NewTabPageHandler : public new_tab_page::mojom::PageHandler,
                     std::unique_ptr<network::SimpleURLLoader>>
      loader_map_;
+  // These are located at the end of the list of member variables to ensure the
+  // WebUI page is disconnected before other members are destroyed.
+  mojo::Remote<new_tab_page::mojom::Page> page_;
+  mojo::Receiver<new_tab_page::mojom::PageHandler> receiver_;
  base::WeakPtrFactory<NewTabPageHandler> weak_ptr_factory_{this};
  DISALLOW_COPY_AND_ASSIGN(NewTabPageHandler);