From 5a3c8cca93deab2c46bc2d7d78855c2959c1ccdc Mon Sep 17 00:00:00 2001 From: "mad@google.com" Date: Wed, 8 Dec 2010 11:13:31 +0000 Subject: Fix a crash where the chrome_frame_ gets used after it was released. See bug description for more details, all we need to do is check the pointer before using it. BUG=65826 TEST=This is most likely happening when the use closes a tab very quickly after creating it. Review URL: http://codereview.chromium.org/5611007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@68584 0039d316-1c4b-4281-b951-d872f2087c98 --- ceee/ie/plugin/bho/browser_helper_object.cc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'ceee') diff --git a/ceee/ie/plugin/bho/browser_helper_object.cc b/ceee/ie/plugin/bho/browser_helper_object.cc index 24fbaf8..507cc19 100644 --- a/ceee/ie/plugin/bho/browser_helper_object.cc +++ b/ceee/ie/plugin/bho/browser_helper_object.cc @@ -616,6 +616,12 @@ bool BrowserHelperObject::EnsureTabId() { return true; } + // We might get here AFTER TearDown if onCreated successfully got deferred + // yet we never got a valid tab_id_ before we got torn down, and then + // onRemoved is called AFTER TearDown, which releases chrome_frame_host_. + if (chrome_frame_host_ == NULL) + return false; + HRESULT hr = chrome_frame_host_->GetSessionId(&tab_id_); DCHECK(SUCCEEDED(hr)); if (hr == S_FALSE) { -- cgit v1.1