Chromium Code Reviews Chromium Code Reviews
Issue 7127001:
Fix user-after-free error with ObserverList. The problem is that if an ObserverListBase::Iterato... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/browser/renderer_host/render_view_host.h" | 5 #include "content/browser/renderer_host/render_view_host.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <utility> | 8 #include <utility> |
| 9 #include <vector> | 9 #include <vector> |
| 10 | 10 |
| (...skipping 588 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 599 bool RenderViewHost::OnMessageReceived(const IPC::Message& msg) { | 599 bool RenderViewHost::OnMessageReceived(const IPC::Message& msg) { |
| 600 if (!BrowserMessageFilter::CheckCanDispatchOnUI(msg, this)) | 600 if (!BrowserMessageFilter::CheckCanDispatchOnUI(msg, this)) |
| 601 return true; | 601 return true; |
| 602 | 602 |
| 603 // Filter out most IPC messages if this renderer is swapped out. | 603 // Filter out most IPC messages if this renderer is swapped out. |
| 604 // We still want to certain ACKs to keep our state consistent. | 604 // We still want to certain ACKs to keep our state consistent. |
| 605 if (is_swapped_out_) | 605 if (is_swapped_out_) |
| 606 if (!content::SwappedOutMessages::CanHandleWhileSwappedOut(msg)) | 606 if (!content::SwappedOutMessages::CanHandleWhileSwappedOut(msg)) |
| 607 return true; | 607 return true; |
| 608 | 608 |
| 609 { | 609 ObserverListBase<RenderViewHostObserver>::Iterator it(observers_); |
| 610 // delegate_->OnMessageReceived can end up deleting |this|, in which case | 610 RenderViewHostObserver* observer; |
| 611 // the destructor for ObserverListBase::Iterator would access the deleted | 611 while ((observer = it.GetNext()) != NULL) |
|
Evan Martin
2011/06/07 18:01:51
curlies on this while loop
| |
| 612 // observers_. | 612 if (observer->OnMessageReceived(msg)) |
| 613 ObserverListBase<RenderViewHostObserver>::Iterator it(observers_); | 613 return true; |
| 614 RenderViewHostObserver* observer; | |
| 615 while ((observer = it.GetNext()) != NULL) | |
| 616 if (observer->OnMessageReceived(msg)) | |
| 617 return true; | |
| 618 } | |
| 619 | 614 |
| 620 if (delegate_->OnMessageReceived(msg)) | 615 if (delegate_->OnMessageReceived(msg)) |
| 621 return true; | 616 return true; |
| 622 | 617 |
| 623 bool handled = true; | 618 bool handled = true; |
| 624 bool msg_is_ok = true; | 619 bool msg_is_ok = true; |
| 625 IPC_BEGIN_MESSAGE_MAP_EX(RenderViewHost, msg, msg_is_ok) | 620 IPC_BEGIN_MESSAGE_MAP_EX(RenderViewHost, msg, msg_is_ok) |
| 626 IPC_MESSAGE_HANDLER(ViewHostMsg_ShowView, OnMsgShowView) | 621 IPC_MESSAGE_HANDLER(ViewHostMsg_ShowView, OnMsgShowView) |
| 627 IPC_MESSAGE_HANDLER(ViewHostMsg_ShowWidget, OnMsgShowWidget) | 622 IPC_MESSAGE_HANDLER(ViewHostMsg_ShowWidget, OnMsgShowWidget) |
| 628 IPC_MESSAGE_HANDLER(ViewHostMsg_ShowFullscreenWidget, | 623 IPC_MESSAGE_HANDLER(ViewHostMsg_ShowFullscreenWidget, |
| (...skipping 641 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1270 if (view) { | 1265 if (view) { |
| 1271 view->ShowPopupMenu(params.bounds, | 1266 view->ShowPopupMenu(params.bounds, |
| 1272 params.item_height, | 1267 params.item_height, |
| 1273 params.item_font_size, | 1268 params.item_font_size, |
| 1274 params.selected_item, | 1269 params.selected_item, |
| 1275 params.popup_items, | 1270 params.popup_items, |
| 1276 params.right_aligned); | 1271 params.right_aligned); |
| 1277 } | 1272 } |
| 1278 } | 1273 } |
| 1279 #endif | 1274 #endif |
| OLD | NEW |
