diff options
| author | paul@chromium.org <paul@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-18 01:01:19 +0000 |
|---|---|---|
| committer | paul@chromium.org <paul@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-18 01:01:19 +0000 |
| commit | 8b2034f851b1b41c2ec6539c057b63c92ef7289c (patch) | |
| tree | 81265ec888324e43fe362f26181cbf94c6ad9bae | |
| parent | b836fa5b1f23146fbb7c6859672821787cc70b1e (diff) | |
| download | chromium_src-8b2034f851b1b41c2ec6539c057b63c92ef7289c.zip chromium_src-8b2034f851b1b41c2ec6539c057b63c92ef7289c.tar.gz chromium_src-8b2034f851b1b41c2ec6539c057b63c92ef7289c.tar.bz2 | |
Fix a bug where we access a view after deletion.
When the download shelf menu option 'Remove' is chosen,
the view is removed and deleted (along with the object
representing the download) so we must not access them
after the removal.
This CL NULLs the download pointer in the menu to
prevent any futher access.
BUG=20810
TEST=Remove an item from the download shelf and Chrome
should not crash.
Review URL: http://codereview.chromium.org/216018
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@26536 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/browser/download/download_shelf.cc | 3 | ||||
| -rw-r--r-- | chrome/browser/download/download_shelf.h | 2 | ||||
| -rw-r--r-- | chrome/browser/views/download_item_view.cc | 10 |
3 files changed, 12 insertions, 3 deletions
diff --git a/chrome/browser/download/download_shelf.cc b/chrome/browser/download/download_shelf.cc index f771178..40d8bef 100644 --- a/chrome/browser/download/download_shelf.cc +++ b/chrome/browser/download/download_shelf.cc @@ -112,6 +112,9 @@ void DownloadShelfContextMenu::ExecuteItemCommand(int id) { break; case REMOVE_ITEM: download_->Remove(false); + // |download_| has been deleted now, prevent further access to it. + download_ = NULL; + model_ = NULL; break; case TOGGLE_PAUSE: // It is possible for the download to complete before the user clicks the diff --git a/chrome/browser/download/download_shelf.h b/chrome/browser/download/download_shelf.h index fad559a..bc014cd 100644 --- a/chrome/browser/download/download_shelf.h +++ b/chrome/browser/download/download_shelf.h @@ -47,6 +47,8 @@ class DownloadShelfContextMenu { public: virtual ~DownloadShelfContextMenu(); + virtual DownloadItem* download() const { return download_; } + protected: explicit DownloadShelfContextMenu(BaseDownloadItemModel* download_model); diff --git a/chrome/browser/views/download_item_view.cc b/chrome/browser/views/download_item_view.cc index 9f4d310..24ddba0 100644 --- a/chrome/browser/views/download_item_view.cc +++ b/chrome/browser/views/download_item_view.cc @@ -820,9 +820,13 @@ bool DownloadItemView::OnMousePressed(const views::MouseEvent& event) { DownloadShelfContextMenuWin menu(model_.get(), GetWidget()->GetNativeView(), point); - drop_down_pressed_ = false; - // Showing the menu blocks. Here we revert the state. - SetState(NORMAL, NORMAL); + // If the menu action was to remove the download, this view will also be + // invalid so we must not access 'this' in this case. + if (menu.download()) { + drop_down_pressed_ = false; + // Showing the menu blocks. Here we revert the state. + SetState(NORMAL, NORMAL); + } } return true; } |