Fix IsolatedPrerender NSP Crash

If the SubresourceManager is destroyed in the same stack as the TabHelper's page_.reset(), then it seg faults because TabHelper:: OnPrerenderStop changes state on page_. To fix, the handle should not be observed when it is cancelled due to destruction of the SubresourceManager. FWIW, I checked all other code paths to ensure this is the only place where this bug can occur. TBR=ryansturm@chromium.org Bug: 1107168 Change-Id: Id8f74e2433e2cec2f9c4c2f4ada9a31790df8219 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2306549Reviewed-by: Robert Ogden <robertogden@chromium.org> Commit-Queue: Robert Ogden <robertogden@chromium.org> Cr-Commit-Position: refs/heads/master@{#789792}

Fix IsolatedPrerender NSP Crash
If the SubresourceManager is destroyed in the same stack as the TabHelper's page_.reset(), then it seg faults because TabHelper:: OnPrerenderStop changes state on page_. To fix, the handle should not be observed when it is cancelled due to destruction of the SubresourceManager. FWIW, I checked all other code paths to ensure this is the only place where this bug can occur. TBR=ryansturm@chromium.org Bug: 1107168 Change-Id: Id8f74e2433e2cec2f9c4c2f4ada9a31790df8219 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2306549Reviewed-by: Robert Ogden <robertogden@chromium.org> Commit-Queue: Robert Ogden <robertogden@chromium.org> Cr-Commit-Position: refs/heads/master@{#789792}
d1c934c3 · Robert Ogden · Commit Bot · 65fc5bc0 · d1c934c3
Commit d1c934c3 authored Jul 19, 2020 by Robert Ogden Committed by Commit Bot Jul 19, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

chrome/browser/prerender/isolated/isolated_prerender_subresource_manager.cc ...render/isolated/isolated_prerender_subresource_manager.cc +1 -1

No files found.
--- a/chrome/browser/prerender/isolated/isolated_prerender_subresource_manager.cc
+++ b/chrome/browser/prerender/isolated/isolated_prerender_subresource_manager.cc
@@ -19,8 +19,8 @@ IsolatedPrerenderSubresourceManager::IsolatedPrerenderSubresourceManager(
 IsolatedPrerenderSubresourceManager::~IsolatedPrerenderSubresourceManager() {
  if (nsp_handle_) {
-    nsp_handle_->OnCancel();
    nsp_handle_->SetObserver(nullptr);
+    nsp_handle_->OnCancel();
  }
  UMA_HISTOGRAM_COUNTS_100("IsolatedPrerender.Prefetch.Subresources.Quantity",
                           successfully_loaded_subresources_.size());