DanglingPtr: fix BrowserInterfaceBrokenImpl dangling ptr

Bug: 1291138 Change-Id: I28139f3101a6113a4ef713d76ebbce323857c323 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3721625 Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org> Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/main@{#1018154}
marcosholgado · Jun 27, 2022 · 8218e81 · 8218e81
1 parent 868e6e4
commit 8218e81
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/content/browser/browser_interface_broker_impl.h b/content/browser/browser_interface_broker_impl.h
@@ -102,7 +102,7 @@ class BrowserInterfaceBrokerImpl : public blink::mojom::BrowserInterfaceBroker {
   // The lifetime of `policy_applier_` is managed by the owner of this instance.
   // The owner should call `ReleaseMojoBinderPolicies()` when it destroys the
   // applier.
-  raw_ptr<MojoBinderPolicyApplier, DanglingUntriaged> policy_applier_ = nullptr;
+  raw_ptr<MojoBinderPolicyApplier> policy_applier_ = nullptr;
 };
 
 }  // namespace content

diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
@@ -3633,8 +3633,12 @@ void RenderFrameHostImpl::RendererDidActivateForPrerendering() {
   // does not have Mojo capability control applied.
   if (mojo_binder_policy_applier_) {
     mojo_binder_policy_applier_->GrantAll();
-    mojo_binder_policy_applier_.reset();
+
+    // As per `ReleaseMojoBinderPolicies` method requirement, the policy applier
+    // owner should call the method when destroying the object, so we first
+    // need to call this method before resetting the unique pointer.
     broker_.ReleaseMojoBinderPolicies();
+    mojo_binder_policy_applier_.reset();
   }
 }