Google Git
Sign in
android / platform / external / chromium_org / refs/heads/lollipop-cts-release^! / .
commitc212afed51ff46ea8092417a98a4a61be1a60623[log] [tgz]
authorMikhail Naganov <[email protected]>Tue Jan 27 17:56:25 2015 +0000
committerThe Android Automerger <[email protected]>Sun Feb 08 22:55:12 2015 -0800
tree58eafe9151585fcf10e898bd1b820509b2d28db7
parentced57b7200475da7fb6600a99c4380777ce039bc [diff]
Fix crash in Java Bridge methods that can receive a non-existant object ID

Bug: 18990952
Change-Id: Idc66b18361306f229bfc27642a4f989f60a1a4d3

diff --git a/content/browser/android/java/gin_java_bridge_dispatcher_host.cc b/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
index ca63276..73649f1 100644
--- a/content/browser/android/java/gin_java_bridge_dispatcher_host.cc
+++ b/content/browser/android/java/gin_java_bridge_dispatcher_host.cc

@@ -135,8 +135,7 @@
 
 JavaObjectWeakGlobalRef GinJavaBridgeDispatcherHost::GetObjectWeakRef(
     GinJavaBoundObject::ObjectID object_id) {
-  scoped_refptr<GinJavaBoundObject>* result = objects_.Lookup(object_id);
-  scoped_refptr<GinJavaBoundObject> object(result ? *result : NULL);
+  scoped_refptr<GinJavaBoundObject> object = FindObject(object_id);
   if (object.get())
     return object->GetWeakRef();
   else
@@ -326,6 +325,12 @@
   return handled;
 }
 
+scoped_refptr<GinJavaBoundObject> GinJavaBridgeDispatcherHost::FindObject(
+    GinJavaBoundObject::ObjectID object_id) {
+  scoped_refptr<GinJavaBoundObject>* result_ptr = objects_.Lookup(object_id);
+  return result_ptr ? *result_ptr : NULL;
+}
+
 namespace {
 
 class IsValidRenderFrameHostHelper
@@ -373,7 +378,7 @@
     render_frame_host->Send(reply_msg);
     return;
   }
-  scoped_refptr<GinJavaBoundObject> object(*objects_.Lookup(object_id));
+  scoped_refptr<GinJavaBoundObject> object = FindObject(object_id);
   if (!object) {
     LOG(ERROR) << "WebView: Unknown object: " << object_id;
     IPC::WriteParam(reply_msg, std::set<std::string>());
@@ -409,7 +414,7 @@
     IPC::Message* reply_msg) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   DCHECK(render_frame_host);
-  scoped_refptr<GinJavaBoundObject> object(*objects_.Lookup(object_id));
+  scoped_refptr<GinJavaBoundObject> object = FindObject(object_id);
   if (!object) {
     LOG(ERROR) << "WebView: Unknown object: " << object_id;
     IPC::WriteParam(reply_msg, false);
@@ -446,7 +451,7 @@
     IPC::Message* reply_msg) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   DCHECK(render_frame_host);
-  scoped_refptr<GinJavaBoundObject> object(*objects_.Lookup(object_id));
+  scoped_refptr<GinJavaBoundObject> object = FindObject(object_id);
   if (!object) {
     LOG(ERROR) << "WebView: Unknown object: " << object_id;
     base::ListValue result;

diff --git a/content/browser/android/java/gin_java_bridge_dispatcher_host.h b/content/browser/android/java/gin_java_bridge_dispatcher_host.h
index 48fcbb5..a8bc280 100644
--- a/content/browser/android/java/gin_java_bridge_dispatcher_host.h
+++ b/content/browser/android/java/gin_java_bridge_dispatcher_host.h

@@ -75,6 +75,8 @@
   void OnObjectWrapperDeleted(RenderFrameHost* render_frame_host,
                               GinJavaBoundObject::ObjectID object_id);
 
+  scoped_refptr<GinJavaBoundObject> FindObject(
+      GinJavaBoundObject::ObjectID object_id);
   bool IsValidRenderFrameHost(RenderFrameHost* render_frame_host);
   void SendMethods(RenderFrameHost* render_frame_host,
                    const std::set<std::string>& method_names);