diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-25 20:04:27 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-10-25 20:04:27 +0000 |
| commit | 98c26e13ef3ef0835c463f04e5ba3b115982e3d2 (patch) | |
| tree | a8f2c543cba5804c9010b6ed106931ad5d00bb17 /chrome_frame/urlmon_url_request.cc | |
| parent | c21453306e24ac62fcecbf067fe7f3dd8168cafc (diff) | |
| download | chromium_src-98c26e13ef3ef0835c463f04e5ba3b115982e3d2.zip chromium_src-98c26e13ef3ef0835c463f04e5ba3b115982e3d2.tar.gz chromium_src-98c26e13ef3ef0835c463f04e5ba3b115982e3d2.tar.bz2 | |
Fix a crasher observed in ChromeFrame stable build 7.0.517.43. Crash occurs when we
attempt to terminate the urlmon transaction with a spurious BindToObject call which
is supposed to fail but release the transaction. While this works mostly it causes
a crash in urlmon at times on IE7.
To workaround this we now save away the IInternetProtocol interface which represents
the transaction object in our bind context info structure which is maintained per bind
context and terminate the protocol when we want the transaction to be destroyed.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=60370
Bug=60370
Review URL: http://codereview.chromium.org/3984006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@63769 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome_frame/urlmon_url_request.cc')
| -rw-r--r-- | chrome_frame/urlmon_url_request.cc | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/chrome_frame/urlmon_url_request.cc b/chrome_frame/urlmon_url_request.cc index 900ef94..7015f8f 100644 --- a/chrome_frame/urlmon_url_request.cc +++ b/chrome_frame/urlmon_url_request.cc @@ -847,17 +847,18 @@ void UrlmonUrlRequest::TerminateTransaction() { // to ensure that the transaction stays around if Chrome decides to issue // a download request when it finishes inspecting the headers received in // OnResponse. However this causes the urlmon transaction object to leak. - // To workaround this we issue a dummy BindToObject call which should fail - // and clean up the transaction. We overwrite the __PrecreatedObject object - // param which ensures that urlmon does not end up instantiating mshtml - ScopedComPtr<IStream> dummy_stream; - CreateStreamOnHGlobal(NULL, TRUE, dummy_stream.Receive()); - DCHECK(dummy_stream); - bind_context_->RegisterObjectParam(L"__PrecreatedObject", - dummy_stream); - ScopedComPtr<IUnknown> dummy; - moniker_->BindToObject(bind_context_, NULL, IID_IUnknown, - reinterpret_cast<void**>(dummy.Receive())); + // To workaround this we save away the IInternetProtocol interface which is + // implemented by the urlmon CTransaction object in our BindContextInfo + // instance which is maintained per bind context. Invoking Terminate + // on this with the special flags 0x2000000 cleanly releases the + // transaction. + static const int kUrlmonTerminateTransactionFlags = 0x2000000; + ScopedComPtr<BindContextInfo> info; + BindContextInfo::FromBindContext(bind_context_, info.Receive()); + DCHECK(info); + if (info && info->protocol()) { + info->protocol()->Terminate(kUrlmonTerminateTransactionFlags); + } } bind_context_.Release(); } |