diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-24 19:27:02 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-24 19:27:02 +0000 |
| commit | 9d9f653d7ac6a2f083dd9acd2ff7a12a5c202398 (patch) | |
| tree | 9d7190bdcebd607e333674902e98fb1fd0165e84 | |
| parent | dd924193b5c11b188a56a09f7c29c8cbdfa0737e (diff) | |
| download | chromium_src-9d9f653d7ac6a2f083dd9acd2ff7a12a5c202398.zip chromium_src-9d9f653d7ac6a2f083dd9acd2ff7a12a5c202398.tar.gz chromium_src-9d9f653d7ac6a2f083dd9acd2ff7a12a5c202398.tar.bz2 | |
Fixed a hang in ChromeFrame while tearing down pending url requests during shutdown. This would occur
when we received a redirect notification on an aborted request. We would end up aborting the request twice
which would cause the UrlmonUrlRequest object to be destroyed twice by IE, thus resulting in a junk reference
in the request map.
Fix is to bail out in the IBindStatusCallback::OnProgress callback if it is invoked for an aborted request.
Part of the fix for http://code.google.com/p/chromium/issues/detail?id=34687
The other issue being fixed is a crash in ChromeFrame caused if the UrlmonUrlRequest object gets destroyed
in the context of UrlmonUrlRequest::StartAsyncDownload. The crash would occur while accessing members of the
object on return from this function. Fix is to grab a reference on this object in the context of the call.
Bug=34687
Review URL: http://codereview.chromium.org/652202
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39909 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome_frame/urlmon_url_request.cc | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/chrome_frame/urlmon_url_request.cc b/chrome_frame/urlmon_url_request.cc index ec61ca9..149c94b 100644 --- a/chrome_frame/urlmon_url_request.cc +++ b/chrome_frame/urlmon_url_request.cc @@ -50,8 +50,12 @@ UrlmonUrlRequest::~UrlmonUrlRequest() { bool UrlmonUrlRequest::Start() { thread_ = PlatformThread::CurrentId(); status_.Start(); + // The UrlmonUrlRequest instance can get destroyed in the context of + // StartAsyncDownload if BindToStorage finishes synchronously with an error. + // Grab a reference to protect against this. + scoped_refptr<UrlmonUrlRequest> ref(this); HRESULT hr = StartAsyncDownload(); - if (FAILED(hr)) { + if (FAILED(hr) && status_.get_state() != UrlmonUrlRequest::Status::DONE) { status_.Done(); status_.set_result(URLRequestStatus::FAILED, HresultToNetError(hr)); NotifyDelegateAndDie(); @@ -169,6 +173,11 @@ STDMETHODIMP UrlmonUrlRequest::OnLowResource(DWORD reserved) { STDMETHODIMP UrlmonUrlRequest::OnProgress(ULONG progress, ULONG max_progress, ULONG status_code, LPCWSTR status_text) { DCHECK_EQ(thread_, PlatformThread::CurrentId()); + + if (status_.get_state() != Status::WORKING) { + return S_OK; + } + switch (status_code) { case BINDSTATUS_REDIRECTING: { DLOG(INFO) << "URL: " << url() << " redirected to " << status_text; |