DescriptionDestroy (Password)AutofillAgent safely
AutofillAgent and related code often edits field values. Those edits may trigger JavaScript capable of deleting the associated frame. Currently, AutofillAgent and related classes are RenderFrameObservers and delete themselves on the frame deletion. This results in use-after-free if the deletion happens up in the stack and there is still the method which changed the field value down on the stack.
Therefore this CL postpones deletion by sending a DeleteSoon task on the frame destruction. The CL also changes a couple of places relying on render frame being alive if the observer is alive to handle a null frame gratefully.
R=dvadym@chromium.org
BUG=609010, 609007, 608100, 608101
Review-Url: https://codereview.chromium.org/1946143002
Cr-Commit-Position: refs/heads/master@{#391524}
(cherry picked from commit d62bc3e6e2c3be6bbb01fa325e3389f089974017)
Committed: https://chromium.googlesource.com/chromium/src/+/7e112c1563632f57cfa1c4fa964987f823da17fa
Patch Set 1 #
Messages
Total messages: 2 (1 generated)
|