diff options
author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-22 23:47:44 +0000 |
---|---|---|
committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-22 23:47:44 +0000 |
commit | a701e5ad76729b657a80d5f4c0c4395a00b94d23 (patch) | |
tree | 381cf7f466f35c8c5c396f0430ffcb2e9d096c2d | |
parent | 7357497e61bbbaa6c55de4070e03e0bcac74a852 (diff) | |
download | chromium_src-a701e5ad76729b657a80d5f4c0c4395a00b94d23.zip chromium_src-a701e5ad76729b657a80d5f4c0c4395a00b94d23.tar.gz chromium_src-a701e5ad76729b657a80d5f4c0c4395a00b94d23.tar.bz2 |
Potential fix for the PluginChannel::CleanUp crash. This will go out on tomorrow's dev channel build and we can see if the crashes go away while I try to write a repro.
The only scenario that I can think of is that an NPObject in the plugin process has a deallocate function which releases an npobject from the renderer. That would cause the corresponding NPObjectProxy to go away, but since PluginChannel has in_remove_route_ set, the list won't get updated and in the future iteration of the loop we'll call the method on a deleted object.
BUG=25439
Review URL: http://codereview.chromium.org/327003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29839 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/plugin/plugin_channel_base.cc | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/chrome/plugin/plugin_channel_base.cc b/chrome/plugin/plugin_channel_base.cc index 9c7d3ca..e996919 100644 --- a/chrome/plugin/plugin_channel_base.cc +++ b/chrome/plugin/plugin_channel_base.cc @@ -159,8 +159,11 @@ void PluginChannelBase::RemoveRoute(int route_id) { // If this RemoveRoute call from the NPObject is a result of us calling // OnChannelError below, don't call erase() here because that'll corrupt // the iterator below. - if (!in_remove_route_) + if (in_remove_route_) { + iter->second = NULL; + } else { npobject_listeners_.erase(iter); + } return; } @@ -172,7 +175,8 @@ void PluginChannelBase::RemoveRoute(int route_id) { ListenerMap::iterator npobj_iter = npobject_listeners_.begin(); in_remove_route_ = true; while (npobj_iter != npobject_listeners_.end()) { - npobj_iter->second->OnChannelError(); + if (npobj_iter->second) + npobj_iter->second->OnChannelError(); npobj_iter++; } in_remove_route_ = false; |