23 lines
1.1 KiB
Diff
23 lines
1.1 KiB
Diff
Bug: https://bugs.gentoo.org/750038
|
|
Upstream bug: https://crbug.com/1135070
|
|
|
|
--- a/content/browser/service_worker/service_worker_container_host.cc
|
|
+++ b/content/browser/service_worker/service_worker_container_host.cc
|
|
@@ -626,6 +626,16 @@
|
|
int64_t registration_id) {
|
|
DCHECK_CURRENTLY_ON(ServiceWorkerContext::GetCoreThreadId());
|
|
DCHECK(base::Contains(registration_object_hosts_, registration_id));
|
|
+
|
|
+ // ServiceWorkerRegistrationObjectHost to be deleted may have the last reference to
|
|
+ // ServiceWorkerRegistration that indirectly owns this ServiceWorkerContainerHost.
|
|
+ // If we erase the object host directly from the map, |this| could be deleted
|
|
+ // during the map operation and may crash. To avoid the case, we take the
|
|
+ // ownership of the object host from the map first, and then erase the entry
|
|
+ // from the map. See https://crbug.com/1135070 for details.
|
|
+ std::unique_ptr<ServiceWorkerRegistrationObjectHost> to_be_deleted =
|
|
+ std::move(registration_object_hosts_[registration_id]);
|
|
+ DCHECK(to_be_deleted);
|
|
registration_object_hosts_.erase(registration_id);
|
|
}
|
|
|