DescriptionFix flaky crash in WebPagePopupImpl::closePopup.
Reentrance to WebViewImpl::closePagePopup() was possible. closePopup() crashed
in that case because m_page was valid and m_page->mainFrame() was nullptr.
The details:
If WebViewImpl::closePagePopup() is called, and the LocalFrame in the page popup
has the last references to the page popup owner Element,
1. WebPagePopupImpl::closePopup() calls destroyPage().
2. destroyPage() calls Page::willBeDestroyed().
3. willBeDestroyed() destructs the LocalFrame.
4. The LocalFrame destructor destructs the owner Element.
5. The owner Element destructor destructs PickerIndicatorElement.
6. PickerIndicatorElement destructor calls WebViewImpl::closePagePopup().
This CL changes the code so that the frame doesn't have the last reference
to the owner Element. We explicitly close the popup on
- Owner detach (not PickerIndicatorElement detach)
- Owner removal from the document tree.
This fixes a testcase in crbug.com/454043. However we failed to make
a stable test.
BUG=454043
Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=200645
Patch Set 1 #Patch Set 2 : #
Messages
Total messages: 17 (6 generated)
|