diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-24 20:24:42 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-02-24 20:24:42 +0000 |
| commit | 891354f43350965bb56698720724675ee527c32d (patch) | |
| tree | 00fe826fad18cc8fbf63dc9f5665fde0efa8b00d /chrome/test | |
| parent | b99daba2d6896de6c303a2ed4f2430abf4d36f3d (diff) | |
| download | chromium_src-891354f43350965bb56698720724675ee527c32d.zip chromium_src-891354f43350965bb56698720724675ee527c32d.tar.gz chromium_src-891354f43350965bb56698720724675ee527c32d.tar.bz2 | |
Fix a crash in ChromeFrame caused by a race condition between receiving and processing the
AutomationMsg_InvalidateHandle message in the background thread and the TabProxy getting destroyed
in the UI thread which also removes the object from the map.
Fix is to remove the object from the map while processing the AutomationMsg_InvalidateHandle message
which ensures that it is processed in the IO thread. The automation handle tracker now maintains
a refcounted object map.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=36607
Bug=36607
Review URL: http://codereview.chromium.org/657057
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@39918 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/test')
| -rw-r--r-- | chrome/test/automation/automation_handle_tracker.cc | 7 | ||||
| -rw-r--r-- | chrome/test/automation/automation_handle_tracker.h | 3 |
2 files changed, 5 insertions, 5 deletions
diff --git a/chrome/test/automation/automation_handle_tracker.cc b/chrome/test/automation/automation_handle_tracker.cc index 1cefc08..6ced518 100644 --- a/chrome/test/automation/automation_handle_tracker.cc +++ b/chrome/test/automation/automation_handle_tracker.cc @@ -18,8 +18,6 @@ AutomationResourceProxy::AutomationResourceProxy( } AutomationResourceProxy::~AutomationResourceProxy() { - if (tracker_) - tracker_->Remove(this); } AutomationHandleTracker::~AutomationHandleTracker() { @@ -38,11 +36,11 @@ void AutomationHandleTracker::Add(AutomationResourceProxy* proxy) { } void AutomationHandleTracker::Remove(AutomationResourceProxy* proxy) { - AutoLock lock(map_lock_); HandleToObjectMap::iterator iter = handle_to_object_.find(proxy->handle()); if (iter != handle_to_object_.end()) { + AutomationHandle proxy_handle = proxy->handle(); handle_to_object_.erase(iter); - sender_->Send(new AutomationMsg_HandleUnused(0, proxy->handle())); + sender_->Send(new AutomationMsg_HandleUnused(0, proxy_handle)); } } @@ -52,6 +50,7 @@ void AutomationHandleTracker::InvalidateHandle(AutomationHandle handle) { HandleToObjectMap::iterator iter = handle_to_object_.find(handle); if (iter != handle_to_object_.end()) { iter->second->Invalidate(); + Remove(iter->second); } } diff --git a/chrome/test/automation/automation_handle_tracker.h b/chrome/test/automation/automation_handle_tracker.h index 1db6015..1117710 100644 --- a/chrome/test/automation/automation_handle_tracker.h +++ b/chrome/test/automation/automation_handle_tracker.h @@ -96,7 +96,8 @@ class AutomationHandleTracker { AutomationResourceProxy* GetResource(AutomationHandle handle); private: typedef - std::map<AutomationHandle, AutomationResourceProxy*> HandleToObjectMap; + std::map<AutomationHandle, scoped_refptr<AutomationResourceProxy> > + HandleToObjectMap; typedef std::pair<AutomationHandle, AutomationResourceProxy*> MapEntry; HandleToObjectMap handle_to_object_; |