From b03a419c6b49e3a628b0e9bd606799e5fbeb3bc4 Mon Sep 17 00:00:00 2001 From: Marshall Greenblatt Date: Wed, 19 Jun 2019 15:45:23 +0200 Subject: [PATCH] Fix crash if a pending request is continued after deletion (see issue #2622). This is a speculative fix for a crash where the pending ResourceRequest appears to be invalid after the request is continued from SetInitialized. --- .../net_service/proxy_url_loader_factory.cc | 3 +++ .../resource_request_handler_wrapper.cc | 14 +++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/libcef/browser/net_service/proxy_url_loader_factory.cc b/libcef/browser/net_service/proxy_url_loader_factory.cc index b03690577..8410320ef 100644 --- a/libcef/browser/net_service/proxy_url_loader_factory.cc +++ b/libcef/browser/net_service/proxy_url_loader_factory.cc @@ -875,6 +875,9 @@ void InterceptedRequest::ContinueToResponseStarted(int error_code) { } void InterceptedRequest::OnDestroy() { + // We don't want any callbacks after this point. + weak_factory_.InvalidateWeakPtrs(); + factory_->request_handler_->OnRequestComplete(id_, request_, status_); // Destroys |this|. diff --git a/libcef/browser/net_service/resource_request_handler_wrapper.cc b/libcef/browser/net_service/resource_request_handler_wrapper.cc index 3abdb1494..a3e841d1f 100644 --- a/libcef/browser/net_service/resource_request_handler_wrapper.cc +++ b/libcef/browser/net_service/resource_request_handler_wrapper.cc @@ -920,7 +920,19 @@ class InterceptedRequestHandlerWrapper : public InterceptedRequestHandler { RequestState* state = GetState(id); if (!state) { - // The request may have been canceled during destruction. + // The request may have been aborted during initialization or canceled + // during destruction. This method will always be called before a request + // is deleted, so if the request is currently pending also remove it from + // the list. + if (!pending_requests_.empty()) { + PendingRequests::iterator it = pending_requests_.begin(); + for (; it != pending_requests_.end(); ++it) { + if ((*it)->id_ == id) { + pending_requests_.erase(it); + break; + } + } + } return; }