Cherry pick "Fixes bug in GinJavaBridgeDispatcherHost"
Original description:
Fixes bug in GinJavaBridgeDispatcherHost
My try job kept failing on android and I finally tracked it down to
this code. GinJavaBridgeDispatcherHost::RemoveNamedObject may be
invoked with a value that comes from named_objects_ (see
AddNamedObject). RemoveNamedObject removes from named_object_ and then
uses the passed in value. If this happens |name| is no longer valid
and shouldn't be used.
BUG=none
TEST=none
R=mnaganov@chromium.org
TBR=mnaganov@chromium.org
Committed:
https://src.chromium.org/viewvc/chrome?view=rev&revision=288861
Bug: 17973356
Change-Id: I71ecab488994362f02ca7dbbe9a35e9514ee33fd
diff --git a/content/browser/android/java/gin_java_bridge_dispatcher_host.cc b/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
index c961dd9..ca63276 100644
--- a/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
+++ b/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
@@ -202,6 +202,10 @@
if (iter == named_objects_.end())
return;
+ // |name| may come from |named_objects_|. Make a copy of name so that if
+ // |name| is from |named_objects_| it'll be valid after the remove below.
+ const std::string copied_name(name);
+
scoped_refptr<GinJavaBoundObject> object(*objects_.Lookup(iter->second));
named_objects_.erase(iter);
object->RemoveName();
@@ -220,7 +224,7 @@
}
web_contents()->SendToAllFrames(
- new GinJavaBridgeMsg_RemoveNamedObject(MSG_ROUTING_NONE, name));
+ new GinJavaBridgeMsg_RemoveNamedObject(MSG_ROUTING_NONE, copied_name));
}
void GinJavaBridgeDispatcherHost::SetAllowObjectContentsInspection(bool allow) {