Crash fix.

We never reset |tab_contents_| to NULL anywhere (and indeed we can't, even in ReleasePreviewContents(), because browser.cc accesses it). We were protected from acccessing a dangling tab_contents_ before, due to the is_active() check that preceded a call to PrepareForCommit(). That was removed in http://crrev.com/105664 however; hence this fix. BUG=100521 TEST=none Review URL: http://codereview.chromium.org/8329020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@106075 0039d316-1c4b-4281-b951-d872f2087c98
author: sreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-10-18 17:08:20 +0000
committer: sreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-10-18 17:08:20 +0000
commit: 07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434 (patch)
tree: 9fa2fe1834b5fff9ada359abf5506be15708dd7e /chrome/browser/instant/instant_controller.cc
parent: ac33674d8fe3a73a9cbf19807e999bd2bb787361 (diff)
download: chromium_src-07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434.zip
chromium_src-07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434.tar.gz
chromium_src-07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434.tar.bz2
1 files changed, 8 insertions, 6 deletions
diff --git a/chrome/browser/instant/instant_controller.cc b/chrome/browser/instant/instant_controller.cc
index 5435a7c..377969f 100644
--- a/chrome/browser/instant/instant_controller.cc
+++ b/chrome/browser/instant/instant_controller.cc
@@ -231,11 +231,14 @@ bool InstantController::IsCurrent() {
 }
 
 bool InstantController::PrepareForCommit() {
+  // Basic checks to prevent accessing a dangling |tab_contents_| pointer.
+  // http://crbug.com/100521.
+  if (is_out_of_date_ || !loader_.get())
+    return false;
+
   // If we are not in the HIDDEN field trial, return the status of the preview.
-  if (!tab_contents_ ||
-      !InstantFieldTrial::IsHiddenExperiment(tab_contents_->profile())) {
+  if (!InstantFieldTrial::IsHiddenExperiment(tab_contents_->profile()))
     return IsCurrent();
-  }
 
   TemplateURLService* model = TemplateURLServiceFactory::GetForProfile(
       tab_contents_->profile());
@@ -243,9 +246,7 @@ bool InstantController::PrepareForCommit() {
     return false;
 
   const TemplateURL* template_url = model->GetDefaultSearchProvider();
-  if (is_out_of_date_ ||
-      !IsValidInstantTemplateURL(template_url) ||
-      !loader_.get() ||
+  if (!IsValidInstantTemplateURL(template_url) ||
       loader_->template_url_id() != template_url->id() ||
       loader_->IsNavigationPending() ||
       loader_->is_determining_if_page_supports_instant()) {
@@ -393,6 +394,7 @@ TabContentsWrapper* InstantController::ReleasePreviewContents(
 
   TabContentsWrapper* tab = loader_->ReleasePreviewContents(type);
   ClearBlacklist();
+  is_out_of_date_ = true;
   is_displayable_ = false;
   commit_on_mouse_up_ = false;
   omnibox_bounds_ = gfx::Rect();
author	sreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-10-18 17:08:20 +0000
committer	sreeram@chromium.org <sreeram@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-10-18 17:08:20 +0000
commit	07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434 (patch)
tree	9fa2fe1834b5fff9ada359abf5506be15708dd7e /chrome/browser/instant/instant_controller.cc
parent	ac33674d8fe3a73a9cbf19807e999bd2bb787361 (diff)
download	chromium_src-07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434.zip chromium_src-07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434.tar.gz chromium_src-07c4ce78c859c6913f6e1f5fe0d6a38e94cd2434.tar.bz2