| Index: ash/root_window_controller.cc
|
| diff --git a/ash/root_window_controller.cc b/ash/root_window_controller.cc
|
| index 3b36a710965dc96bd43d78c610f0cb55e440cc7e..6c4df9706ae3718c8a5d1ff716d4d72a2ff6a8a5 100644
|
| --- a/ash/root_window_controller.cc
|
| +++ b/ash/root_window_controller.cc
|
| @@ -437,7 +437,8 @@ void RootWindowController::CloseChildWindows() {
|
| workspace_controller_.reset();
|
| aura::client::SetTooltipClient(root_window_.get(), NULL);
|
|
|
| - // Remove all toplevel windows first.
|
| + // Explicitly destroy top level windows. We do this as during part of
|
| + // destruction such windows may query the RootWindow for state.
|
| std::queue<aura::Window*> non_toplevel_windows;
|
| non_toplevel_windows.push(root_window_.get());
|
| while (!non_toplevel_windows.empty()) {
|
| @@ -446,6 +447,8 @@ void RootWindowController::CloseChildWindows() {
|
| aura::WindowTracker toplevel_windows;
|
| for (size_t i = 0; i < non_toplevel_window->children().size(); ++i) {
|
| aura::Window* child = non_toplevel_window->children()[i];
|
| + if (!child->owned_by_parent())
|
| + continue;
|
| if (child->delegate())
|
| toplevel_windows.Add(child);
|
| else
|
| @@ -455,8 +458,14 @@ void RootWindowController::CloseChildWindows() {
|
| delete *toplevel_windows.windows().begin();
|
| }
|
| // And then remove the containers.
|
| - while (!root_window_->children().empty())
|
| - delete root_window_->children()[0];
|
| + while (!root_window_->children().empty()) {
|
| + aura::Window* window = root_window_->children()[0];
|
| + if (window->owned_by_parent()) {
|
| + delete window;
|
| + } else {
|
| + root_window_->RemoveChild(window);
|
| + }
|
| + }
|
|
|
| shelf_.reset(NULL);
|
| }
|
|
|
Chromium Code Reviews
Issue 25374002:
Fixes use after free caused by delete in RootWindowController (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src