summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Sinclair <dsinclair@chromium.org>2018-02-14 21:12:42 +0000
committerChromium commit bot <commit-bot@chromium.org>2018-02-14 21:12:42 +0000
commitc4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f (patch)
treeab6c7d500bc91072259959434ce5636ab82edbfb
parenta9eabe43437871b7b5f5569f0e3e1b9b3e01cedf (diff)
downloadpdfium-chromium/3348.tar.xz
Fix lifetime probe issue in CJX_Objectchromium/3348
This CL removes the UnownedPtr to the CXFA_LayoutItem from CJX_Object. This is because the CJX_Object will be destroyed by the CXFA_Node which is destroyed in the CXFA_Document destructor (due to the vector of unique_ptr being destroyed). The CXFA_LayoutItem will be freed in the LayoutProcessor which also lives in the CXFA_Document. Bug: chromium:807215 Change-Id: I86040e154ee2e5d461fc4d3565a10a9181680207 Reviewed-on: https://pdfium-review.googlesource.com/26851 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
-rw-r--r--fxjs/xfa/cjx_object.h10
1 files changed, 8 insertions, 2 deletions
diff --git a/fxjs/xfa/cjx_object.h b/fxjs/xfa/cjx_object.h
index e21a3ef3f5..12b58b0af8 100644
--- a/fxjs/xfa/cjx_object.h
+++ b/fxjs/xfa/cjx_object.h
@@ -67,7 +67,7 @@ class CJX_Object {
size_t GetCalcRecursionCount() const { return calc_recursion_count_; }
void SetLayoutItem(CXFA_LayoutItem* item) { layout_item_ = item; }
- CXFA_LayoutItem* GetLayoutItem() const { return layout_item_.Get(); }
+ CXFA_LayoutItem* GetLayoutItem() const { return layout_item_; }
bool HasMethod(const WideString& func) const;
CJS_Return RunMethod(const WideString& func,
@@ -272,7 +272,13 @@ class CJX_Object {
void MoveBufferMapData(CXFA_Object* pDstModule);
UnownedPtr<CXFA_Object> object_;
- UnownedPtr<CXFA_LayoutItem> layout_item_;
+ // This is an UnownedPtr but, due to lifetime issues, can't be marked as such
+ // at this point. The CJX_Node is freed by its parent CXFA_Node. The CXFA_Node
+ // will be freed during CXFA_NodeHolder destruction (CXFA_Document
+ // destruction as the only implementation). This will happen after the
+ // CXFA_LayoutProcessor is destroyed in the CXFA_Document, leaving this as a
+ // bad unowned ptr.
+ CXFA_LayoutItem* layout_item_ = nullptr;
std::unique_ptr<XFA_MAPMODULEDATA> map_module_data_;
std::unique_ptr<CXFA_CalcData> calc_data_;
std::map<ByteString, CJX_MethodCall> method_specs_;