diff options
author | paulg@google.com <paulg@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-04-14 02:03:20 +0000 |
---|---|---|
committer | paulg@google.com <paulg@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-04-14 02:03:20 +0000 |
commit | 05349986a0c968101b8925be496794b1f2bc40f5 (patch) | |
tree | 7cb79c84d92e7e5910664e94979debb9980b3e3d /chrome/browser/extensions/extension_message_service.cc | |
parent | 3401b00e41731a8816d9aec9592b09efb4bf5eac (diff) | |
download | chromium_src-05349986a0c968101b8925be496794b1f2bc40f5.zip chromium_src-05349986a0c968101b8925be496794b1f2bc40f5.tar.gz chromium_src-05349986a0c968101b8925be496794b1f2bc40f5.tar.bz2 |
Fix a crash where the ResourceMessageFilter is deleted before a
SafeBrowsing check has completed. The problem occurs since the
SafeBrowsingResourceHandler is not deleted when its associated
URLRequest is cleaned up *and* a SafeBrowsing check is in progress.
When the check completes, the next resource handler in the chain
(the AsyncResourceHandler which caches a pointer the now deleted
ResourceMessageFilter) will crash.
This CL adds a notification for objects to know when the
ResourceMessageFilter is destroyed.
BUG=8544 (http://crbug.com)
Review URL: http://codereview.chromium.org/63036
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@13644 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/extensions/extension_message_service.cc')
-rwxr-xr-x | chrome/browser/extensions/extension_message_service.cc | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/chrome/browser/extensions/extension_message_service.cc b/chrome/browser/extensions/extension_message_service.cc index 8a4ef73..f200c5b 100755 --- a/chrome/browser/extensions/extension_message_service.cc +++ b/chrome/browser/extensions/extension_message_service.cc @@ -11,6 +11,7 @@ #include "chrome/browser/renderer_host/render_view_host.h" #include "chrome/browser/renderer_host/render_process_host.h" #include "chrome/browser/renderer_host/resource_message_filter.h" +#include "chrome/common/notification_service.h" #include "chrome/common/render_messages.h" #include "chrome/common/stl_util-inl.h" @@ -132,14 +133,23 @@ void ExtensionMessageService::RendererReady(ResourceMessageFilter* renderer) { AutoLock lock(renderers_lock_); DCHECK(renderers_.find(renderer->GetProcessId()) == renderers_.end()); renderers_[renderer->GetProcessId()] = renderer; + + NotificationService::current()->AddObserver( + this, + NotificationType::RESOURCE_MESSAGE_FILTER_SHUTDOWN, + Source<ResourceMessageFilter>(renderer)); } -void ExtensionMessageService::RendererShutdown( - ResourceMessageFilter* renderer) { +void ExtensionMessageService::Observe(NotificationType type, + const NotificationSource& source, + const NotificationDetails& details) { + DCHECK(type.value == NotificationType::RESOURCE_MESSAGE_FILTER_SHUTDOWN); + ResourceMessageFilter* filter = Source<ResourceMessageFilter>(source).ptr(); + { AutoLock lock(renderers_lock_); - DCHECK(renderers_.find(renderer->GetProcessId()) != renderers_.end()); - renderers_.erase(renderer->GetProcessId()); + DCHECK(renderers_.find(filter->GetProcessId()) != renderers_.end()); + renderers_.erase(filter->GetProcessId()); } // Close any channels that share this filter. @@ -147,7 +157,13 @@ void ExtensionMessageService::RendererShutdown( for (MessageChannelMap::iterator it = channels_.begin(); it != channels_.end(); ) { MessageChannelMap::iterator current = it++; - if (current->second.port1 == renderer || current->second.port2 == renderer) + if (current->second.port1 == filter || current->second.port2 == filter) channels_.erase(current); } + + NotificationService::current()->RemoveObserver( + this, + NotificationType::RESOURCE_MESSAGE_FILTER_SHUTDOWN, + Source<ResourceMessageFilter>(filter)); } + |