Android: Fix null ptr deref

With r258476 it became possible to call RunAckCallbacks() after host_ was reset to NULL from Destroy(). ReleaseLocksOnSurface() can call InternalSwapCompositorFrame() which queues an ACK if we are visible. Make sure that when we call SetContentViewCore(NULL) the first time while |host_| is still valid, we are not left with an unsent ACK. BUG=278466 NOTRY=True Review URL: https://codereview.chromium.org/212123011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@260579 0039d316-1c4b-4281-b951-d872f2087c98
hylschwy · Mar 31, 2014 · 81a52c4 · 81a52c4
1 parent cd33fc1
commit 81a52c4
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/content/browser/renderer_host/render_widget_host_view_android.cc b/content/browser/renderer_host/render_widget_host_view_android.cc
@@ -417,6 +417,7 @@ void RenderWidgetHostViewAndroid::ReleaseLocksOnSurface() {
   while (locks_on_frame_count_ > 0) {
     UnlockCompositingSurface();
   }
+  RunAckCallbacks();
 }
 
 gfx::Rect RenderWidgetHostViewAndroid::GetViewBounds() const {
@@ -728,6 +729,7 @@ void RenderWidgetHostViewAndroid::OnAcceleratedCompositingStateChange() {
 
 void RenderWidgetHostViewAndroid::SendDelegatedFrameAck(
     uint32 output_surface_id) {
+  DCHECK(host_);
   cc::CompositorFrameAck ack;
   if (resource_collection_.get())
     resource_collection_->TakeUnusedResourcesForChildCompositor(&ack.resources);
@@ -1332,8 +1334,6 @@ void RenderWidgetHostViewAndroid::DidStopFlinging() {
 
 void RenderWidgetHostViewAndroid::SetContentViewCore(
     ContentViewCoreImpl* content_view_core) {
-  RunAckCallbacks();
-
   RemoveLayers();
   // TODO: crbug.com/324341
   // WindowAndroid and Compositor should outlive all WebContents.
@@ -1389,7 +1389,7 @@ void RenderWidgetHostViewAndroid::OnLostResources() {
   if (delegated_renderer_layer_.get())
     DestroyDelegatedContent();
   texture_id_in_layer_ = 0;
-  RunAckCallbacks();
+  DCHECK(ack_callbacks_.empty());
 }
 
 // static