Fix crash introduced in r10563 where we modified a RenderWidgetHost after it had been deallocated.

Review URL: http://codereview.chromium.org/27363

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10751 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 12 insertions, 4 deletions

diff --git a/chrome/browser/renderer_host/render_widget_host.cc b/chrome/browser/renderer_host/render_widget_host.cc
index f75d2e6..1050ec7 100644
--- a/chrome/browser/renderer_host/render_widget_host.cc
+++ b/chrome/browser/renderer_host/render_widget_host.cc
@@ -575,11 +575,16 @@ void RenderWidgetHost::OnMsgInputEventAck(const IPC::Message& message) {
       r = message.ReadBool(&iter, &processed);
       DCHECK(r);
 
+      KeyQueue::value_type front_item = key_queue_.front();
+      key_queue_.pop();
+
       if (!processed) {
-        UnhandledKeyboardEvent(key_queue_.front());
-      }
+        UnhandledKeyboardEvent(front_item);
 
-      key_queue_.pop();
+        // WARNING: This RenderWidgetHost can be deallocated at this point
+        // (i.e.  in the case of Ctrl+W, where the call to
+        // UnhandledKeyboardEvent destroys this RenderWidgetHost).
+      }
     }
   }
 }
diff --git a/chrome/browser/renderer_host/render_widget_host.h b/chrome/browser/renderer_host/render_widget_host.h
index 647c893..0a749b8 100644
--- a/chrome/browser/renderer_host/render_widget_host.h
+++ b/chrome/browser/renderer_host/render_widget_host.h
@@ -352,10 +352,13 @@ class RenderWidgetHost : public IPC::Channel::Listener {
   // operation to finish.
   base::TimeTicks repaint_start_time_;
 
+  // Queue of keyboard events that we need to track.
+  typedef std::queue<WebKeyboardEvent> KeyQueue;
+
   // A queue of keyboard events. We can't trust data from the renderer so we
   // stuff key events into a queue and pop them out on ACK, feeding our copy
   // back to whatever unhandled handler instead of the returned version.
-  std::queue<WebKeyboardEvent> key_queue_;
+  KeyQueue key_queue_;
 
   DISALLOW_COPY_AND_ASSIGN(RenderWidgetHost);
 };