summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-10-22 23:47:44 +0000
committerjam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-10-22 23:47:44 +0000
commita701e5ad76729b657a80d5f4c0c4395a00b94d23 (patch)
tree381cf7f466f35c8c5c396f0430ffcb2e9d096c2d
parent7357497e61bbbaa6c55de4070e03e0bcac74a852 (diff)
downloadchromium_src-a701e5ad76729b657a80d5f4c0c4395a00b94d23.zip
chromium_src-a701e5ad76729b657a80d5f4c0c4395a00b94d23.tar.gz
chromium_src-a701e5ad76729b657a80d5f4c0c4395a00b94d23.tar.bz2
Potential fix for the PluginChannel::CleanUp crash. This will go out on tomorrow's dev channel build and we can see if the crashes go away while I try to write a repro.
The only scenario that I can think of is that an NPObject in the plugin process has a deallocate function which releases an npobject from the renderer. That would cause the corresponding NPObjectProxy to go away, but since PluginChannel has in_remove_route_ set, the list won't get updated and in the future iteration of the loop we'll call the method on a deleted object. BUG=25439 Review URL: http://codereview.chromium.org/327003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@29839 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--chrome/plugin/plugin_channel_base.cc8
1 files changed, 6 insertions, 2 deletions
diff --git a/chrome/plugin/plugin_channel_base.cc b/chrome/plugin/plugin_channel_base.cc
index 9c7d3ca..e996919 100644
--- a/chrome/plugin/plugin_channel_base.cc
+++ b/chrome/plugin/plugin_channel_base.cc
@@ -159,8 +159,11 @@ void PluginChannelBase::RemoveRoute(int route_id) {
// If this RemoveRoute call from the NPObject is a result of us calling
// OnChannelError below, don't call erase() here because that'll corrupt
// the iterator below.
- if (!in_remove_route_)
+ if (in_remove_route_) {
+ iter->second = NULL;
+ } else {
npobject_listeners_.erase(iter);
+ }
return;
}
@@ -172,7 +175,8 @@ void PluginChannelBase::RemoveRoute(int route_id) {
ListenerMap::iterator npobj_iter = npobject_listeners_.begin();
in_remove_route_ = true;
while (npobj_iter != npobject_listeners_.end()) {
- npobj_iter->second->OnChannelError();
+ if (npobj_iter->second)
+ npobj_iter->second->OnChannelError();
npobj_iter++;
}
in_remove_route_ = false;