diff options
| author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-02 20:20:23 +0000 |
|---|---|---|
| committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-12-02 20:20:23 +0000 |
| commit | 91980ff2edd20437bdf9f67e83fb6c4804a45946 (patch) | |
| tree | f0050c71d361f62ad589bd48975cb4f370825616 /content/browser/browser_child_process_host.cc | |
| parent | 84dae96dd4873cf4251573efb8809deb2b06a797 (diff) | |
| download | chromium_src-91980ff2edd20437bdf9f67e83fb6c4804a45946.zip chromium_src-91980ff2edd20437bdf9f67e83fb6c4804a45946.tar.gz chromium_src-91980ff2edd20437bdf9f67e83fb6c4804a45946.tar.bz2 | |
Fix use-after-free. OnChildDied deletes the current object, so we shouldn't call member functions afterwards. I'm refactoring this code in another cl, but figured I'd fix this separately to make things clearer.
Review URL: http://codereview.chromium.org/8776041
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@112767 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/browser/browser_child_process_host.cc')
| -rw-r--r-- | content/browser/browser_child_process_host.cc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/content/browser/browser_child_process_host.cc b/content/browser/browser_child_process_host.cc index fa63338..508dade 100644 --- a/content/browser/browser_child_process_host.cc +++ b/content/browser/browser_child_process_host.cc @@ -225,9 +225,11 @@ void BrowserChildProcessHost::OnWaitableEventSignaled( unsigned long exit_code = 0; GetExitCodeProcess(waitable_event->Release(), &exit_code); delete waitable_event; - if (exit_code == STILL_ACTIVE) + if (exit_code == STILL_ACTIVE) { OnChildDied(); - BrowserChildProcessHost::OnChildDisconnected(); + } else { + BrowserChildProcessHost::OnChildDisconnected(); + } #endif } |