From 95284326ea69903454907a200ad43ec41d158105 Mon Sep 17 00:00:00 2001
From: "huanr@chromium.org"
 <huanr@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Sat, 7 Feb 2009 00:37:01 +0000
Subject: Fix a memory error when a timer task deleles its original timer in
 the receiver method. This happens in the events of following sequence:   - A
 TimerTask is created on message loop   - When TimerTask::Run is called, it
 nullifies     timer_->delayed_task.   - The receiver method is dispatched,
 and inside     the  method, the timer_ is deleted. Since    
 timer_->delayed_task being null, the timer_     destructor will not orphan
 the task.   - After the method is returned, message loop     deletes the task
 which will deref the     dangling pointer to timer_.

I also tried to add a unit test to this. The best
I can come up with is making the test process
crash/fail in full page heap or purify environment.

BUG=1570948

Review URL: http://codereview.chromium.org/20111

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9368 0039d316-1c4b-4281-b951-d872f2087c98
---
 base/timer.h | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'base/timer.h')

diff --git a/base/timer.h b/base/timer.h
index 9aa084b..698d59d 100644
--- a/base/timer.h
+++ b/base/timer.h
@@ -168,6 +168,10 @@ class BaseTimer : public BaseTimer_Helper {
         // that the Timer has already taken care of properly setting the task.
         if (self->delayed_task_ == this)
           self->delayed_task_ = NULL;
+        // By now the delayed_task_ in the Timer does not point to us anymore.
+        // We should reset our own timer_ because the Timer can not do this
+        // for us in its destructor. 
+        timer_ = NULL;
       }
     }
 
-- 
cgit v1.1