Fix a memory error when a timer task deleles its

original timer in the receiver method. This happens
in the events of following sequence:
  - A TimerTask is created on message loop
  - When TimerTask::Run is called, it nullifies
    timer_->delayed_task.
  - The receiver method is dispatched, and inside
    the  method, the timer_ is deleted. Since 
    timer_->delayed_task being null, the timer_
    destructor will not orphan the task.
  - After the method is returned, message loop
    deletes the task which will deref the
    dangling pointer to timer_.
    
I also tried to add a unit test to this. The best
I can come up with is making the test process
crash/fail in full page heap or purify environment.

BUG=1570948

Review URL: http://codereview.chromium.org/20111

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9368 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 0 deletions

diff --git a/base/timer.h b/base/timer.h
index 9aa084b..698d59d 100644
--- a/base/timer.h
+++ b/base/timer.h
@@ -168,6 +168,10 @@ class BaseTimer : public BaseTimer_Helper {
         // that the Timer has already taken care of properly setting the task.
         if (self->delayed_task_ == this)
           self->delayed_task_ = NULL;
+        // By now the delayed_task_ in the Timer does not point to us anymore.
+        // We should reset our own timer_ because the Timer can not do this
+        // for us in its destructor. 
+        timer_ = NULL;
       }
     }