| commit | c465164df7d4166d3ff932aa2d56ade252a2a03a | |
| author | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | |
| Thu, 3 Jul 2014 06:09:34 +0000 (3 06:09 +0000) | ||
| committer | ananta@chromium.org <ananta@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | |
| Thu, 3 Jul 2014 06:09:34 +0000 (3 06:09 +0000) | ||
| tree | 5b2f408f0815984dfda6b2c26177b86a6e657fe4 | treesnapshot (tar.gz zip) |
| parent | dbedd502b4ad7d87364117713b2fcbab137b8a7b | commitdiff |
Fix a crash in the LegacyRenderWidgetHostHWND destruction code path which occurs via OnFinalMessage
This crash happens because it is attempting to notify an invalid RenderWidgetHostViewAura instance which
is its host that it is being destroyed.
By code inspection and the crash dump analysis this can occur in the following scenario.
1. LegacyRenderWidgetHostHWND gets a message.
2. It forwards it to the parent.
3. The parent then gets destroyed which eventually results in the RenderWidgetHostViewAura::Shutdown method
getting called.
4. LegacyRenderWidgetHostHWND::Destroy gets called by the RenderWidgetHostViewAura::OnWindowDestroying call.
5. RenderWidgetHostViewAura is destroyed in the OnWindowDestroyed notification.
5. LegacyRenderWidgetHostHWND::OnFinalMessage eventually gets called by ATL which tries to notify an invalid
host that it is going away.
Fix is to set the host to NULL on the LegacyRenderWidgetHostHWND instance before calling Destroy on it.
BUG=391055
TBR=sky
Review URL: https://codereview.chromium.org/370453002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@281180 0039d316-1c4b-4281-b951-d872f2087c98
This crash happens because it is attempting to notify an invalid RenderWidgetHostViewAura instance which
is its host that it is being destroyed.
By code inspection and the crash dump analysis this can occur in the following scenario.
1. LegacyRenderWidgetHostHWND gets a message.
2. It forwards it to the parent.
3. The parent then gets destroyed which eventually results in the RenderWidgetHostViewAura::Shutdown method
getting called.
4. LegacyRenderWidgetHostHWND::Destroy gets called by the RenderWidgetHostViewAura::OnWindowDestroying call.
5. RenderWidgetHostViewAura is destroyed in the OnWindowDestroyed notification.
5. LegacyRenderWidgetHostHWND::OnFinalMessage eventually gets called by ATL which tries to notify an invalid
host that it is going away.
Fix is to set the host to NULL on the LegacyRenderWidgetHostHWND instance before calling Destroy on it.
BUG=391055
TBR=sky
Review URL: https://codereview.chromium.org/370453002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@281180 0039d316-1c4b-4281-b951-d872f2087c98
| content/browser/renderer_host/render_widget_host_view_aura.cc | diffblobblamehistory |