Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(842)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: content/browser/tab_contents/navigation_controller.cc

Issue 7078002: Fix a crash where an index to a modified array wasn't always kept up to date. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 9 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: content/browser/tab_contents/navigation_controller.cc
===================================================================
--- content/browser/tab_contents/navigation_controller.cc (revision 86834)
+++ content/browser/tab_contents/navigation_controller.cc (working copy)
@@ -1088,10 +1088,14 @@
if (current_size > 0) {
// Prune any entries which are in front of the current entry.
// Also prune the current entry if we are to replace the current entry.
- int prune_up_to = replace ? last_committed_entry_index_ - 1
- : last_committed_entry_index_;
+ // last_committed_entry_index_ must be updated here since calls to
+ // NotifyPrunedEntries() below may re-enter and we must make sure
+ // last_committed_entry_index_ is not left in an invalid state.
+ if (replace)
+ --last_committed_entry_index_;
+
int num_pruned = 0;
- while (prune_up_to < (current_size - 1)) {
+ while (last_committed_entry_index_ < (current_size - 1)) {
num_pruned++;
entries_.pop_back();
current_size--;
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698