commit | fe000eecfd314aff088f7d981f96b19a80a20515 | [log] [tgz] |
---|---|---|
author | Alex Moshchuk <alexmos@chromium.org> | Wed Jul 25 00:01:13 2018 |
committer | Alex Moshchuk <alexmos@chromium.org> | Wed Jul 25 00:01:13 2018 |
tree | 672508f4a5291f2c04ab027878b7a2fbc90c40d8 | |
parent | 556813c93fa177cdb275674bdd1016f75e674f47 [diff] |
Schedule OnBeforeUnloadACK to prevent reentrancy when destroying a RFHI. Previously, it was possible that in the middle of closing a tab and shutting down the main frame's process, we could call ResetForNewProcess() to clear the main frame's children, but destroying a child's RenderFrameHostImpl could reenter TabStripModel::CloseWebContentses if the main frame was also waiting for that child's beforeunload ACK. This could result in freeing state such as the WebContents or main frame's RFHM and RFHI, and then later unwinding the stack to proceed with the first CloseWebContentses and running into crashes when trying to dereference pointers which were already freed or nulled out. To prevent this reentrancy, schedule the beforeunload ACK in the cases where it's used for tab close. This is similar to a fix for issue 851400, but addresses a new way to get the reentrant calls that became possible after r575133. Bug: 866382, 866365 Change-Id: Id20068cb24f457f1fae1005050d46441dac78d9a Reviewed-on: https://chromium-review.googlesource.com/1148775 Reviewed-by: Charlie Reis <creis@chromium.org> Commit-Queue: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#577736}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .