Fix a crash where an index to a modified array wasn't always kept up to date.

BUG=83924
TEST=Make sure the navigation history is correct.

Review URL: http://codereview.chromium.org/7078002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87019 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 7 insertions, 3 deletions

diff --git a/content/browser/tab_contents/navigation_controller.cc b/content/browser/tab_contents/navigation_controller.cc
index 4bcf8dd6..564203f 100644
--- a/content/browser/tab_contents/navigation_controller.cc
+++ b/content/browser/tab_contents/navigation_controller.cc
@@ -1041,10 +1041,14 @@ void NavigationController::InsertOrReplaceEntry(NavigationEntry* entry,
   if (current_size > 0) {
     // Prune any entries which are in front of the current entry.
     // Also prune the current entry if we are to replace the current entry.
-    int prune_up_to = replace ? last_committed_entry_index_ - 1
-                              : last_committed_entry_index_;
+    // last_committed_entry_index_ must be updated here since calls to
+    // NotifyPrunedEntries() below may re-enter and we must make sure
+    // last_committed_entry_index_ is not left in an invalid state.
+    if (replace)
+      --last_committed_entry_index_;
+
     int num_pruned = 0;
-    while (prune_up_to < (current_size - 1)) {
+    while (last_committed_entry_index_ < (current_size - 1)) {
       num_pruned++;
       entries_.pop_back();
       current_size--;