diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-11 02:26:40 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-11 02:26:40 +0000 |
| commit | 732adca12a00d6338e2e1ffb29a373eec9e9b1cc (patch) | |
| tree | 874b4dc904eb2480541850296fc9dad9ffe11932 | |
| parent | c8b7705f4b4cd5f790d251c2059b9d1f430c42d2 (diff) | |
| download | chromium_src-732adca12a00d6338e2e1ffb29a373eec9e9b1cc.zip chromium_src-732adca12a00d6338e2e1ffb29a373eec9e9b1cc.tar.gz chromium_src-732adca12a00d6338e2e1ffb29a373eec9e9b1cc.tar.bz2 | |
Fix a crash in the Chrome browser process which occurs while servicing ChromeFrame requests over automation.
The crash occurs in the URLRequestAutomationJob which is invoked from the AutomationResourceMessageFilter
which filters the automation channel. A recent change to remove refcounting usage from the URLRequestJob
subclasses also changed the request map to not maintain a refcounted object. Long story short, while processing
the OnRequestEnd IPC message the job can get destroyed midway in the handler.
Fix is to rearrange the code in the URLRequestAutomationJob::OnRequestEnd function to access the pending_buf
only when the job is not complete and we received a valid response.
BUG=none
TEST=ChromeFrame should not crash on startup. This can be reproduced by navigating to meebo.com in IE
TBR=amit
Review URL: http://codereview.chromium.org/7001011
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@84915 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/browser/automation/url_request_automation_job.cc | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/chrome/browser/automation/url_request_automation_job.cc b/chrome/browser/automation/url_request_automation_job.cc index 6ae2c74..15481b0 100644 --- a/chrome/browser/automation/url_request_automation_job.cc +++ b/chrome/browser/automation/url_request_automation_job.cc @@ -354,21 +354,19 @@ void URLRequestAutomationJob::OnRequestEnd( if (!has_response_started()) { NotifyStartError(status); } else if (pending_buf_) { + pending_buf_ = NULL; + pending_buf_size_ = 0; NotifyDone(status); + NotifyReadComplete(0); } else { // Wait for the http stack to issue a Read request where we will notify // that the job has completed. request_status_ = status; - return; } } - - // Reset any pending reads. - if (pending_buf_) { - pending_buf_ = NULL; - pending_buf_size_ = 0; - NotifyReadComplete(0); - } + // Note + // The job could have been destroyed above. Please don't attempt to access + // member variables here. } void URLRequestAutomationJob::Cleanup() { |