diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-05 21:55:11 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-01-05 21:55:11 +0000 |
| commit | 89f19546d7689c43c9c6738c60e94739cbb72cd1 (patch) | |
| tree | 675c8a41d7f645dba8de04d08724ecd8daaf7bc6 /chrome_frame | |
| parent | d91629d9971d8f824a0c151330dde814b11d43b2 (diff) | |
| download | chromium_src-89f19546d7689c43c9c6738c60e94739cbb72cd1.zip chromium_src-89f19546d7689c43c9c6738c60e94739cbb72cd1.tar.gz chromium_src-89f19546d7689c43c9c6738c60e94739cbb72cd1.tar.bz2 | |
Speculative fix for a ChromeFrame crasher reported by go/crash. The crash occurs while tearing down the
ChromeFrameAutomationClient instance, which only gets called from the destructor of the ChromeFramePlugin
class which is a base class of the ChromeFrame ActiveX. When this executes the worker thread which is used
for handling urlmon requests has been destroyed.
The crash occurs in the UrlmonUrlRequest::Stop function while posting a task back to an invalid message loop.
We already clean up the requests in the WM_DESTROY handler, meaning that there seems to be a scenario where
we don't receive a WM_DESTROY. It is unclear what that is.
The fix is to call Uninitialize on the ChromeFramePlugin object in the destructor of the ActiveX which ensures
that it executes while the thread is still valid. Added checks for the message loop in the relevant functions
in the UrlmonUrlRequest class.
Fixes bug http://code.google.com/p/chromium/issues/detail?id=31557
Bug=31557
Review URL: http://codereview.chromium.org/518034
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35561 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome_frame')
| -rw-r--r-- | chrome_frame/chrome_frame_activex_base.h | 1 | ||||
| -rw-r--r-- | chrome_frame/urlmon_url_request.cc | 7 |
2 files changed, 5 insertions, 3 deletions
diff --git a/chrome_frame/chrome_frame_activex_base.h b/chrome_frame/chrome_frame_activex_base.h index dce42b2..077fa11 100644 --- a/chrome_frame/chrome_frame_activex_base.h +++ b/chrome_frame/chrome_frame_activex_base.h @@ -245,6 +245,7 @@ END_MSG_MAP() } void FinalRelease() { + Uninitialize(); } static HRESULT WINAPI InterfaceNotSupported(void* pv, REFIID riid, void** ppv, diff --git a/chrome_frame/urlmon_url_request.cc b/chrome_frame/urlmon_url_request.cc index b98ba53..de11684 100644 --- a/chrome_frame/urlmon_url_request.cc +++ b/chrome_frame/urlmon_url_request.cc @@ -240,7 +240,7 @@ UrlmonUrlRequest::~UrlmonUrlRequest() { bool UrlmonUrlRequest::Start() { DCHECK_EQ(PlatformThread::CurrentId(), thread_); - if (!worker_thread_) { + if (!worker_thread_ || !worker_thread_->message_loop()) { NOTREACHED() << __FUNCTION__ << " Urlmon request thread not initialized"; return false; } @@ -266,7 +266,7 @@ bool UrlmonUrlRequest::Start() { void UrlmonUrlRequest::Stop() { DCHECK_EQ(PlatformThread::CurrentId(), thread_); - if (!worker_thread_) { + if (!worker_thread_ || !worker_thread_->message_loop()) { NOTREACHED() << __FUNCTION__ << " Urlmon request thread not initialized"; return; } @@ -320,7 +320,7 @@ bool UrlmonUrlRequest::Read(int bytes_to_read) { DLOG(INFO) << StringPrintf("URL: %s Obj: %X", url().c_str(), this); - if (!worker_thread_) { + if (!worker_thread_ || !worker_thread_->message_loop()) { NOTREACHED() << __FUNCTION__ << " Urlmon request thread not initialized"; return false; } @@ -830,6 +830,7 @@ HRESULT UrlmonUrlRequest::ConnectToExistingMoniker(IMoniker* moniker, NOTREACHED() << "Failed to QI for IBindCtx on wrapper. Error:" << hr; return hr; } + moniker_ = moniker; set_url(WideToUTF8(url)); return S_OK; |