diff options
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-08-13 08:52:05 +0000 |
|---|---|---|
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-08-13 08:53:27 +0000 |
| commit | d1e2c63c639416e48406665bca0b3bbf681a95dd (patch) | |
| tree | 4a9c3e3901f1bca098a2b146c64cc69cfb7e165f /pdf | |
| parent | ac3446d6ac226d50678a8cc67bb0019e0d82e861 (diff) | |
| download | chromium_src-d1e2c63c639416e48406665bca0b3bbf681a95dd.zip chromium_src-d1e2c63c639416e48406665bca0b3bbf681a95dd.tar.gz chromium_src-d1e2c63c639416e48406665bca0b3bbf681a95dd.tar.bz2 | |
Fix crasher in the pdf tear down code path.
The crash occurs because of a timer dereferencing a null engine pointer.
The crash appears to have occurred due to this patch https://codereview.chromium.org/427583003/
Fix is to cancel all timers when the pdf instance is being torn down before
destroying the engine.
BUG=403036
Review URL: https://codereview.chromium.org/462283002
Cr-Commit-Position: refs/heads/master@{#289218}
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@289218 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'pdf')
| -rw-r--r-- | pdf/instance.cc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/pdf/instance.cc b/pdf/instance.cc index d779089..9cb7829 100644 --- a/pdf/instance.cc +++ b/pdf/instance.cc @@ -307,6 +307,10 @@ Instance::Instance(PP_Instance instance) } Instance::~Instance() { + if (timer_pending_) { + timer_factory_.CancelAll(); + timer_pending_ = false; + } // The engine may try to access this instance during its destruction. // Make sure this happens early while the instance is still intact. engine_.reset(); |