Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1576)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/renderer/render_frame_impl.cc

Issue 1130233002: Convert main_render_frame_ to raw pointer in RenderViewImpl. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Address lfg@'s review comments. Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | content/renderer/render_view_browsertest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/renderer/render_frame_impl.cc
diff --git a/content/renderer/render_frame_impl.cc b/content/renderer/render_frame_impl.cc
index b44691dc57a9f4df6a18592fbf89559507476de8..d25858add466215e725c826f28db63614abd4f0f 100644
--- a/content/renderer/render_frame_impl.cc
+++ b/content/renderer/render_frame_impl.cc
@@ -730,12 +730,18 @@ RenderFrameImpl::~RenderFrameImpl() {
render_view_->UnregisterVideoHoleFrame(this);
#endif
- // RenderFrameProxy is only "owned" by RenderFrameImpl in the case it is the
- // main frame. Ensure it is deleted along with this object.
- if (!is_subframe_ && render_frame_proxy_) {
- // The following method calls back into this object and clears
- // |render_frame_proxy_|.
- render_frame_proxy_->frameDetached();
+ if (!is_subframe_) {
+ // RenderFrameProxy is "owned" by RenderFrameImpl in the case it is
+ // the main frame. Ensure it is deleted along with this object.
+ if (render_frame_proxy_) {
+ // The following method calls back into this object and clears
+ // |render_frame_proxy_|.
+ render_frame_proxy_->frameDetached();
+ }
+
+ // Since this is the main frame, the RenderViewImpl pointer to this object
+ // must be cleared, otherwise it will result in use-after-free bugs.
ncarter (slow) 2015/05/11 18:27:13 "otherwise it will result in use-after-free bugs"
nasko 2015/05/11 22:01:11 Done.
+ render_view_->main_render_frame_ = nullptr;
}
render_view_->UnregisterRenderFrame(this);
@@ -2231,10 +2237,8 @@ void RenderFrameImpl::frameDetached(blink::WebFrame* frame) {
frame->close();
frame_ = nullptr;
- if (is_subframe_) {
- delete this;
- // Object is invalid after this point.
- }
+ delete this;
+ // Object is invalid after this point.
}
void RenderFrameImpl::frameFocused() {
@@ -2643,6 +2647,13 @@ void RenderFrameImpl::didCommitProvisionalLoad(
CHECK(proxy);
proxy->web_frame()->swap(frame_);
proxy_routing_id_ = MSG_ROUTING_NONE;
+
+ // If this is the main frame going from a remote frame to a local frame,
+ // it needs to set RenderViewImpl's pointer for the main frame to itself.
+ if (!is_subframe_) {
+ CHECK(!render_view_->main_render_frame_);
ncarter (slow) 2015/05/11 18:27:13 How does this happen? Seems like RenderViewImpl::
nasko 2015/05/11 22:01:11 Create RenderView and the main RenderFrame. Naviga
ncarter (slow) 2015/05/11 22:44:49 No, it's fine and this makes sense. I had forgotte
+ render_view_->main_render_frame_ = this;
+ }
}
// When we perform a new navigation, we need to update the last committed
« no previous file with comments | « no previous file | content/renderer/render_view_browsertest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698