diff options
| author | michaeln@chromium.org <michaeln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-18 04:17:18 +0000 |
|---|---|---|
| committer | michaeln@chromium.org <michaeln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-18 04:17:18 +0000 |
| commit | 4f92bd1b131a43aac7a57ce684722557ab47c275 (patch) | |
| tree | d99f435ddc6e7b2047427ed7854cdb93f1d7625d | |
| parent | 742278edf9059049a72d148caf22075b6ee53b10 (diff) | |
| download | chromium_src-4f92bd1b131a43aac7a57ce684722557ab47c275.zip chromium_src-4f92bd1b131a43aac7a57ce684722557ab47c275.tar.gz chromium_src-4f92bd1b131a43aac7a57ce684722557ab47c275.tar.bz2 | |
Fix a recently introduced (r230246 in m32) use-after-free bug.
BUG=327366
Review URL: https://codereview.chromium.org/116703004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@241479 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | webkit/browser/appcache/appcache_host.h | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/webkit/browser/appcache/appcache_host.h b/webkit/browser/appcache/appcache_host.h index 7869dad..939d198 100644 --- a/webkit/browser/appcache/appcache_host.h +++ b/webkit/browser/appcache/appcache_host.h @@ -205,6 +205,11 @@ class WEBKIT_STORAGE_BROWSER_EXPORT AppCacheHost int parent_host_id_; int parent_process_id_; + // Defined prior to refs to AppCaches and Groups because destruction + // order matters, the disabled_storage_reference_ must outlive those + // objects. See additional comments for the storage_ member. + scoped_refptr<AppCacheStorageReference> disabled_storage_reference_; + // The cache associated with this host, if any. scoped_refptr<AppCache> associated_cache_; @@ -244,12 +249,12 @@ class WEBKIT_STORAGE_BROWSER_EXPORT AppCacheHost // And the equally central storage object, with a twist. In some error // conditions the storage object gets recreated and reinitialized. The - // disabled_reference_ allows for cleanup of an instance that got disabled - // after we had latched onto it. In normal circumstances, - // disabled_reference_ is expected to be NULL. When non-NULL both - // storage_ and disabled_reference_ refer to the same instance. + // disabled_storage_reference_ (defined earlier) allows for cleanup of an + // instance that got disabled after we had latched onto it. In normal + // circumstances, disabled_storage_reference_ is expected to be NULL. + // When non-NULL both storage_ and disabled_storage_reference_ refer to the + // same instance. AppCacheStorage* storage_; - scoped_refptr<AppCacheStorageReference> disabled_storage_reference_; // Since these are synchronous scriptable API calls in the client, there can // only be one type of callback pending. Also, we have to wait until we have a |