diff options
| author | michaeln@google.com <michaeln@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-18 22:17:45 +0000 |
|---|---|---|
| committer | michaeln@google.com <michaeln@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-18 22:17:45 +0000 |
| commit | 4f2f4a71d8d3ff1e055805733e459ae9f1f705a7 (patch) | |
| tree | bd28f0042ae721a0a7efbfc0605033c5800d9c4a | |
| parent | 6441c0cb8547d33810c309cddef4fb1c22efd789 (diff) | |
| download | chromium_src-4f2f4a71d8d3ff1e055805733e459ae9f1f705a7.zip chromium_src-4f2f4a71d8d3ff1e055805733e459ae9f1f705a7.tar.gz chromium_src-4f2f4a71d8d3ff1e055805733e459ae9f1f705a7.tar.bz2 | |
Merge 241479 "Fix a recently introduced (r230246 in m32) use-aft..."
> Fix a recently introduced (r230246 in m32) use-after-free bug.
>
> BUG=327366
>
> Review URL: https://codereview.chromium.org/116703004
TBR=michaeln@chromium.org
Review URL: https://codereview.chromium.org/112343008
git-svn-id: svn://svn.chromium.org/chrome/branches/1750/src@241677 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | webkit/browser/appcache/appcache_host.h | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/webkit/browser/appcache/appcache_host.h b/webkit/browser/appcache/appcache_host.h index 7869dad..939d198 100644 --- a/webkit/browser/appcache/appcache_host.h +++ b/webkit/browser/appcache/appcache_host.h @@ -205,6 +205,11 @@ class WEBKIT_STORAGE_BROWSER_EXPORT AppCacheHost int parent_host_id_; int parent_process_id_; + // Defined prior to refs to AppCaches and Groups because destruction + // order matters, the disabled_storage_reference_ must outlive those + // objects. See additional comments for the storage_ member. + scoped_refptr<AppCacheStorageReference> disabled_storage_reference_; + // The cache associated with this host, if any. scoped_refptr<AppCache> associated_cache_; @@ -244,12 +249,12 @@ class WEBKIT_STORAGE_BROWSER_EXPORT AppCacheHost // And the equally central storage object, with a twist. In some error // conditions the storage object gets recreated and reinitialized. The - // disabled_reference_ allows for cleanup of an instance that got disabled - // after we had latched onto it. In normal circumstances, - // disabled_reference_ is expected to be NULL. When non-NULL both - // storage_ and disabled_reference_ refer to the same instance. + // disabled_storage_reference_ (defined earlier) allows for cleanup of an + // instance that got disabled after we had latched onto it. In normal + // circumstances, disabled_storage_reference_ is expected to be NULL. + // When non-NULL both storage_ and disabled_storage_reference_ refer to the + // same instance. AppCacheStorage* storage_; - scoped_refptr<AppCacheStorageReference> disabled_storage_reference_; // Since these are synchronous scriptable API calls in the client, there can // only be one type of callback pending. Also, we have to wait until we have a |