diff options
Diffstat (limited to 'chromium/content')
7 files changed, 52 insertions, 14 deletions
diff --git a/chromium/content/browser/frame_host/render_frame_host_impl.cc b/chromium/content/browser/frame_host/render_frame_host_impl.cc index a6d5d13fe80..f9b3a9a12b6 100644 --- a/chromium/content/browser/frame_host/render_frame_host_impl.cc +++ b/chromium/content/browser/frame_host/render_frame_host_impl.cc @@ -1082,6 +1082,13 @@ RenderFrameHostImpl::~RenderFrameHostImpl() { if (owned_render_widget_host_) owned_render_widget_host_->ShutdownAndDestroyWidget(false); + // TODO(https://crbug.com/1005077): There is no known reason for removing the + // RenderViewHostImpl here instead of automatically at the end of the + // destructor. In practise, not doing it here will prevent android WebView to + // display a new page after a long sequence of WebView creation / deletion. + // The real reason why this is needed needs to be investigated. + render_view_host_.reset(); + // If another frame is waiting for a beforeunload ACK from this frame, // simulate it now. RenderFrameHostImpl* beforeunload_initiator = GetBeforeUnloadInitiator(); diff --git a/chromium/content/browser/frame_host/render_frame_host_impl.h b/chromium/content/browser/frame_host/render_frame_host_impl.h index d0f858a41cb..f60ce3a1a01 100644 --- a/chromium/content/browser/frame_host/render_frame_host_impl.h +++ b/chromium/content/browser/frame_host/render_frame_host_impl.h @@ -1712,7 +1712,7 @@ class CONTENT_EXPORT RenderFrameHostImpl // // TODO(creis): RenderViewHost will eventually go away and be replaced with // some form of page context. - const scoped_refptr<RenderViewHostImpl> render_view_host_; + scoped_refptr<RenderViewHostImpl> render_view_host_; RenderFrameHostDelegate* const delegate_; diff --git a/chromium/content/browser/indexed_db/indexed_db_cursor.cc b/chromium/content/browser/indexed_db/indexed_db_cursor.cc index 3c7c2bbf606..cdd7fe10309 100644 --- a/chromium/content/browser/indexed_db/indexed_db_cursor.cc +++ b/chromium/content/browser/indexed_db/indexed_db_cursor.cc @@ -62,8 +62,6 @@ IndexedDBCursor::IndexedDBCursor( } IndexedDBCursor::~IndexedDBCursor() { - if (transaction_) - transaction_->UnregisterOpenCursor(this); // Call to make sure we complete our lifetime trace. Close(); } @@ -405,6 +403,8 @@ void IndexedDBCursor::Close() { closed_ = true; cursor_.reset(); saved_cursor_.reset(); + if (transaction_) + transaction_->UnregisterOpenCursor(this); transaction_.reset(); } diff --git a/chromium/content/browser/indexed_db/indexed_db_transaction.cc b/chromium/content/browser/indexed_db/indexed_db_transaction.cc index 11783f25063..53f198ae218 100644 --- a/chromium/content/browser/indexed_db/indexed_db_transaction.cc +++ b/chromium/content/browser/indexed_db/indexed_db_transaction.cc @@ -585,9 +585,13 @@ void IndexedDBTransaction::CloseOpenCursorBindings() { void IndexedDBTransaction::CloseOpenCursors() { IDB_TRACE1("IndexedDBTransaction::CloseOpenCursors", "txn.id", id()); - for (auto* cursor : open_cursors_) - cursor->Close(); + + // IndexedDBCursor::Close() indirectly mutates |open_cursors_|, when it calls + // IndexedDBTransaction::UnregisterOpenCursor(). + std::set<IndexedDBCursor*> open_cursors = std::move(open_cursors_); open_cursors_.clear(); + for (auto* cursor : open_cursors) + cursor->Close(); } void IndexedDBTransaction::AddPendingObserver( diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.cc b/chromium/content/browser/web_contents/web_contents_view_aura.cc index 68f268efe02..965204410f9 100644 --- a/chromium/content/browser/web_contents/web_contents_view_aura.cc +++ b/chromium/content/browser/web_contents/web_contents_view_aura.cc @@ -412,6 +412,7 @@ class WebContentsViewAura::AsyncDropNavigationObserver public: AsyncDropNavigationObserver(WebContents* watched_contents, std::unique_ptr<DropData> drop_data, + base::ScopedClosureRunner end_drag_runner, RenderWidgetHostImpl* target_rwh, const gfx::PointF& client_pt, const gfx::PointF& screen_pt, @@ -436,6 +437,7 @@ class WebContentsViewAura::AsyncDropNavigationObserver // Data cached at the start of the drop operation and needed to complete the // drop. std::unique_ptr<DropData> drop_data_; + base::ScopedClosureRunner end_drag_runner_; base::WeakPtr<RenderWidgetHostImpl> target_rwh_; const gfx::PointF client_pt_; const gfx::PointF screen_pt_; @@ -447,6 +449,7 @@ class WebContentsViewAura::AsyncDropNavigationObserver WebContentsViewAura::AsyncDropNavigationObserver::AsyncDropNavigationObserver( WebContents* watched_contents, std::unique_ptr<DropData> drop_data, + base::ScopedClosureRunner end_drag_runner, RenderWidgetHostImpl* target_rwh, const gfx::PointF& client_pt, const gfx::PointF& screen_pt, @@ -454,6 +457,7 @@ WebContentsViewAura::AsyncDropNavigationObserver::AsyncDropNavigationObserver( : WebContentsObserver(watched_contents), drop_allowed_(true), drop_data_(std::move(drop_data)), + end_drag_runner_(std::move(end_drag_runner)), target_rwh_(target_rwh->GetWeakPtr()), client_pt_(client_pt), screen_pt_(screen_pt), @@ -1097,7 +1101,15 @@ void WebContentsViewAura::StartDragging( return; } - EndDrag(source_rwh_weak_ptr.get(), ConvertToWeb(result_op)); + // If drag is still in progress that means we haven't received drop targeting + // callback yet. So we have to make sure to delay calling EndDrag until drop + // is done. + if (!drag_in_progress_) + EndDrag(source_rwh_weak_ptr.get(), ConvertToWeb(result_op)); + else + end_drag_runner_ = base::ScopedClosureRunner(base::BindOnce( + &WebContentsViewAura::EndDrag, weak_ptr_factory_.GetWeakPtr(), + source_rwh_weak_ptr.get(), ConvertToWeb(result_op))); } void WebContentsViewAura::UpdateDragCursor(blink::WebDragOperation operation) { @@ -1391,6 +1403,8 @@ void WebContentsViewAura::PerformDropCallback( base::WeakPtr<RenderWidgetHostViewBase> target, base::Optional<gfx::PointF> transformed_pt) { drag_in_progress_ = false; + base::ScopedClosureRunner end_drag_runner(std::move(end_drag_runner_)); + if (!target) return; RenderWidgetHostImpl* target_rwh = @@ -1411,9 +1425,8 @@ void WebContentsViewAura::PerformDropCallback( DragEnteredCallback(event, std::move(drop_data), target, transformed_pt); } - if (!current_drop_data_) { + if (!current_drop_data_) return; - } const int key_modifiers = ui::EventFlagsToWebEventModifiers(event.flags()); #if defined(OS_WIN) @@ -1438,8 +1451,9 @@ void WebContentsViewAura::PerformDropCallback( // operation completes. async_drop_navigation_observer_ = std::make_unique<AsyncDropNavigationObserver>( - web_contents_, std::move(current_drop_data_), target_rwh, - transformed_pt.value(), screen_pt, key_modifiers); + web_contents_, std::move(current_drop_data_), + std::move(end_drag_runner), target_rwh, transformed_pt.value(), + screen_pt, key_modifiers); return; } } diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.h b/chromium/content/browser/web_contents/web_contents_view_aura.h index ed3c8d86cac..428c5afe4cd 100644 --- a/chromium/content/browser/web_contents/web_contents_view_aura.h +++ b/chromium/content/browser/web_contents/web_contents_view_aura.h @@ -9,6 +9,7 @@ #include <utility> #include <vector> +#include "base/callback_helpers.h" #include "base/gtest_prod_util.h" #include "base/macros.h" #include "base/memory/ref_counted.h" @@ -245,6 +246,10 @@ class CONTENT_EXPORT WebContentsViewAura #endif DropCallbackForTesting drop_callback_for_testing_; + // If this callback is initialized it must be run after the drop operation is + // done to send dragend event in EndDrag function. + base::ScopedClosureRunner end_drag_runner_; + std::unique_ptr<aura::Window> window_; std::unique_ptr<WindowObserver> window_observer_; diff --git a/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc b/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc index e0c2d352f2a..784831c465f 100644 --- a/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc +++ b/chromium/content/renderer/media/webrtc/rtc_peer_connection_handler.cc @@ -1235,13 +1235,17 @@ void RTCPeerConnectionHandler::SetLocalDescription( reason_str.append(" "); reason_str.append(error.description); LOG(ERROR) << reason_str; - request.RequestFailed(webrtc::RTCError(webrtc::RTCErrorType::INTERNAL_ERROR, - std::move(reason_str))); if (peer_connection_tracker_) { peer_connection_tracker_->TrackSessionDescriptionCallback( this, PeerConnectionTracker::ACTION_SET_LOCAL_DESCRIPTION, "OnFailure", reason_str); } + // Warning: this line triggers the error callback to be executed, causing + // arbitrary JavaScript to be executed synchronously. As a result, it is + // possible for |this| to be deleted after this line. See + // https://crbug.com/1005251. + request.RequestFailed(webrtc::RTCError(webrtc::RTCErrorType::INTERNAL_ERROR, + std::move(reason_str))); return; } @@ -1303,13 +1307,17 @@ void RTCPeerConnectionHandler::SetRemoteDescription( reason_str.append(" "); reason_str.append(error.description); LOG(ERROR) << reason_str; - request.RequestFailed(webrtc::RTCError( - webrtc::RTCErrorType::UNSUPPORTED_OPERATION, std::move(reason_str))); if (peer_connection_tracker_) { peer_connection_tracker_->TrackSessionDescriptionCallback( this, PeerConnectionTracker::ACTION_SET_REMOTE_DESCRIPTION, "OnFailure", reason_str); } + // Warning: this line triggers the error callback to be executed, causing + // arbitrary JavaScript to be executed synchronously. As a result, it is + // possible for |this| to be deleted after this line. See + // https://crbug.com/1005251. + request.RequestFailed(webrtc::RTCError( + webrtc::RTCErrorType::UNSUPPORTED_OPERATION, std::move(reason_str))); return; } |