diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2018-02-14 21:12:42 +0000 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2018-02-14 21:12:42 +0000 |
commit | c4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f (patch) | |
tree | ab6c7d500bc91072259959434ce5636ab82edbfb /fxjs | |
parent | a9eabe43437871b7b5f5569f0e3e1b9b3e01cedf (diff) | |
download | pdfium-c4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f.tar.xz |
Fix lifetime probe issue in CJX_Objectchromium/3348
This CL removes the UnownedPtr to the CXFA_LayoutItem from CJX_Object.
This is because the CJX_Object will be destroyed by the CXFA_Node which
is destroyed in the CXFA_Document destructor (due to the vector of
unique_ptr being destroyed). The CXFA_LayoutItem will be freed in the
LayoutProcessor which also lives in the CXFA_Document.
Bug: chromium:807215
Change-Id: I86040e154ee2e5d461fc4d3565a10a9181680207
Reviewed-on: https://pdfium-review.googlesource.com/26851
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Diffstat (limited to 'fxjs')
-rw-r--r-- | fxjs/xfa/cjx_object.h | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/fxjs/xfa/cjx_object.h b/fxjs/xfa/cjx_object.h index e21a3ef3f5..12b58b0af8 100644 --- a/fxjs/xfa/cjx_object.h +++ b/fxjs/xfa/cjx_object.h @@ -67,7 +67,7 @@ class CJX_Object { size_t GetCalcRecursionCount() const { return calc_recursion_count_; } void SetLayoutItem(CXFA_LayoutItem* item) { layout_item_ = item; } - CXFA_LayoutItem* GetLayoutItem() const { return layout_item_.Get(); } + CXFA_LayoutItem* GetLayoutItem() const { return layout_item_; } bool HasMethod(const WideString& func) const; CJS_Return RunMethod(const WideString& func, @@ -272,7 +272,13 @@ class CJX_Object { void MoveBufferMapData(CXFA_Object* pDstModule); UnownedPtr<CXFA_Object> object_; - UnownedPtr<CXFA_LayoutItem> layout_item_; + // This is an UnownedPtr but, due to lifetime issues, can't be marked as such + // at this point. The CJX_Node is freed by its parent CXFA_Node. The CXFA_Node + // will be freed during CXFA_NodeHolder destruction (CXFA_Document + // destruction as the only implementation). This will happen after the + // CXFA_LayoutProcessor is destroyed in the CXFA_Document, leaving this as a + // bad unowned ptr. + CXFA_LayoutItem* layout_item_ = nullptr; std::unique_ptr<XFA_MAPMODULEDATA> map_module_data_; std::unique_ptr<CXFA_CalcData> calc_data_; std::map<ByteString, CJX_MethodCall> method_specs_; |