Fix use-after-free in the worker process. The object was shutting down the process so it was a race condition that the process was still running when the task executed.

BUG=23018
TEST=covered by valgrind on mac
Review URL: http://codereview.chromium.org/267035

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@28620 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 14 insertions, 23 deletions

diff --git a/chrome/worker/webworkerclient_proxy.cc b/chrome/worker/webworkerclient_proxy.cc
index f0c6571..de31734 100644
--- a/chrome/worker/webworkerclient_proxy.cc
+++ b/chrome/worker/webworkerclient_proxy.cc
@@ -23,25 +23,8 @@ using WebKit::WebString;
 using WebKit::WebWorker;
 using WebKit::WebWorkerClient;
 
-namespace {
-
 // How long to wait for worker to finish after it's been told to terminate.
-static const int kMaxTimeForRunawayWorkerMs = 3000;
-
-class KillProcessTask : public Task {
- public:
-  KillProcessTask(WebWorkerClientProxy* proxy) : proxy_(proxy) { }
-  void Run() {
-    // This shuts down the process cleanly from the perspective of the browser
-    // process, and avoids the crashed worker infobar from appearing to the new
-    // page.
-    proxy_->workerContextDestroyed();
-  }
- private:
-  WebWorkerClientProxy* proxy_;
-};
-
-}
+#define kMaxTimeForRunawayWorkerMs 3000
 
 static bool UrlIsNativeWorker(const GURL& url) {
   // If the renderer was not passed the switch to enable native workers,
@@ -63,7 +46,8 @@ static bool UrlIsNativeWorker(const GURL& url) {
 
 WebWorkerClientProxy::WebWorkerClientProxy(const GURL& url, int route_id)
     : url_(url),
-      route_id_(route_id) {
+      route_id_(route_id),
+      ALLOW_THIS_IN_INITIALIZER_LIST(kill_process_factory_(this)) {
   if (UrlIsNativeWorker(url)) {
     // Launch a native worker.
     impl_ = NativeWebWorkerImpl::create(this);
@@ -178,8 +162,13 @@ void WebWorkerClientProxy::OnTerminateWorkerContext() {
     return;
   }
 
+  // This shuts down the process cleanly from the perspective of the browser
+  // process, and avoids the crashed worker infobar from appearing to the new
+  // page.
   MessageLoop::current()->PostDelayedTask(FROM_HERE,
-      new KillProcessTask(this), kMaxTimeForRunawayWorkerMs);
+      kill_process_factory_.NewRunnableMethod(
+          &WebWorkerClientProxy::workerContextDestroyed),
+          kMaxTimeForRunawayWorkerMs);
 }
 
 void WebWorkerClientProxy::OnPostMessage(
diff --git a/chrome/worker/webworkerclient_proxy.h b/chrome/worker/webworkerclient_proxy.h
index 0d5987f..456ecb0 100644
--- a/chrome/worker/webworkerclient_proxy.h
+++ b/chrome/worker/webworkerclient_proxy.h
@@ -8,6 +8,7 @@
 #include <vector>
 
 #include "base/basictypes.h"
+#include "base/task.h"
 #include "googleurl/src/gurl.h"
 #include "ipc/ipc_channel.h"
 #include "webkit/api/public/WebWorkerClient.h"
@@ -74,6 +75,8 @@ class WebWorkerClientProxy : public WebKit::WebWorkerClient,
 
   WebKit::WebWorker* impl_;
 
+  ScopedRunnableMethodFactory<WebWorkerClientProxy> kill_process_factory_;
+
   DISALLOW_COPY_AND_ASSIGN(WebWorkerClientProxy);
 };
 
diff --git a/chrome/worker/worker_uitest.cc b/chrome/worker/worker_uitest.cc
index bc3924e..07c1596 100644
--- a/chrome/worker/worker_uitest.cc
+++ b/chrome/worker/worker_uitest.cc
@@ -41,9 +41,8 @@ TEST_F(WorkerTest, MultipleWorkers) {
   RunTest(L"multi_worker.html");
 }
 
-// WorkerFastLayoutTests works on the linux try servers, but fails on the
-// build bots and fails on mac valgrind.
-#if !defined(OS_WIN)
+// WorkerFastLayoutTests works on the linux try servers.
+#if defined(OS_LINUX)
 #define WorkerFastLayoutTests DISABLED_WorkerFastLayoutTests
 #endif