Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1003)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1137533002: MainFrameObserver is inline owned, so it shouldn't be freed by OnDestruct (Closed)

Created:
5 years, 7 months ago by nasko
Modified:
5 years, 7 months ago
Reviewers:
sky
CC:
chromium-reviews, mlamouri+watch-content_chromium.org, qsr+mojo_chromium.org, viettrungluu+watch_chromium.org, jam, yzshen+watch_chromium.org, abarth-chromium, Aaron Boodman, darin-cc_chromium.org, mkwst+moarreviews-renderer_chromium.org, darin (slow to review), ben+mojo_chromium.org, site-isolation-reviews_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@master
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

MainFrameObserver is inline owned, so it shouldn't be freed by OnDestruct MainFrameObserver is a RenderFrameObserver and as such is destroyed when RenderFrame goes away. This happens as part of RenderFrameObserver::OnDestruct. MainFrameObserver though is inline owned by WebUIMojo and can be deleted before WebUIMojo is deleted. It results in use-after-free when WebUIMojo is destructed and tries to free the already freed MainFrameObserver. This CL overrides OnDestruct, which allows the MainFrameObserver to stay alive and be cleaned up by WebUIMojo. BUG=357747 Committed: https://crrev.com/63b8975f954f2e10ee8c1b339c00b2b252f46132 Cr-Commit-Position: refs/heads/master@{#328990}

Patch Set 1 #

Total comments: 2

Patch Set 2 : Address comments by sky@. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+8 lines, -0 lines) Patch
M content/renderer/web_ui_mojo.h View 1 1 chunk +5 lines, -0 lines 0 comments Download
M content/renderer/web_ui_mojo.cc View 1 1 chunk +3 lines, -0 lines 0 comments Download

Messages

Total messages: 11 (3 generated)
nasko
Hey sky@, Can you review this CL for me? It is a simple piece from ...
5 years, 7 months ago (2015-05-07 21:36:31 UTC) #2
sky
I'm not an owner of content.
5 years, 7 months ago (2015-05-08 15:16:50 UTC) #3
nasko
On 2015/05/08 15:16:50, sky wrote: > I'm not an owner of content. I included you ...
5 years, 7 months ago (2015-05-08 15:54:36 UTC) #4
sky
LGTM with the following change https://codereview.chromium.org/1137533002/diff/1/content/renderer/web_ui_mojo.h File content/renderer/web_ui_mojo.h (right): https://codereview.chromium.org/1137533002/diff/1/content/renderer/web_ui_mojo.h#newcode43 content/renderer/web_ui_mojo.h:43: void OnDestruct() override {} ...
5 years, 7 months ago (2015-05-08 16:28:39 UTC) #5
nasko
https://codereview.chromium.org/1137533002/diff/1/content/renderer/web_ui_mojo.h File content/renderer/web_ui_mojo.h (right): https://codereview.chromium.org/1137533002/diff/1/content/renderer/web_ui_mojo.h#newcode43 content/renderer/web_ui_mojo.h:43: void OnDestruct() override {} On 2015/05/08 16:28:38, sky wrote: ...
5 years, 7 months ago (2015-05-08 17:28:50 UTC) #6
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1137533002/20001
5 years, 7 months ago (2015-05-08 17:30:25 UTC) #9
commit-bot: I haz the power
Committed patchset #2 (id:20001)
5 years, 7 months ago (2015-05-08 18:23:15 UTC) #10
commit-bot: I haz the power
5 years, 7 months ago (2015-05-08 18:24:07 UTC) #11
Message was sent while issue was closed. 
Patchset 2 (id:??) landed as
https://crrev.com/63b8975f954f2e10ee8c1b339c00b2b252f46132
Cr-Commit-Position: refs/heads/master@{#328990}

Powered by Google App Engine
This is Rietveld 408576698