From c4ffab7a2308dabdc2ba1355902d94f7cc3b2d8f Mon Sep 17 00:00:00 2001 From: Dan Sinclair Date: Wed, 14 Feb 2018 21:12:42 +0000 Subject: Fix lifetime probe issue in CJX_Object This CL removes the UnownedPtr to the CXFA_LayoutItem from CJX_Object. This is because the CJX_Object will be destroyed by the CXFA_Node which is destroyed in the CXFA_Document destructor (due to the vector of unique_ptr being destroyed). The CXFA_LayoutItem will be freed in the LayoutProcessor which also lives in the CXFA_Document. Bug: chromium:807215 Change-Id: I86040e154ee2e5d461fc4d3565a10a9181680207 Reviewed-on: https://pdfium-review.googlesource.com/26851 Reviewed-by: Tom Sepez Commit-Queue: dsinclair --- fxjs/xfa/cjx_object.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'fxjs') diff --git a/fxjs/xfa/cjx_object.h b/fxjs/xfa/cjx_object.h index e21a3ef3f5..12b58b0af8 100644 --- a/fxjs/xfa/cjx_object.h +++ b/fxjs/xfa/cjx_object.h @@ -67,7 +67,7 @@ class CJX_Object { size_t GetCalcRecursionCount() const { return calc_recursion_count_; } void SetLayoutItem(CXFA_LayoutItem* item) { layout_item_ = item; } - CXFA_LayoutItem* GetLayoutItem() const { return layout_item_.Get(); } + CXFA_LayoutItem* GetLayoutItem() const { return layout_item_; } bool HasMethod(const WideString& func) const; CJS_Return RunMethod(const WideString& func, @@ -272,7 +272,13 @@ class CJX_Object { void MoveBufferMapData(CXFA_Object* pDstModule); UnownedPtr object_; - UnownedPtr layout_item_; + // This is an UnownedPtr but, due to lifetime issues, can't be marked as such + // at this point. The CJX_Node is freed by its parent CXFA_Node. The CXFA_Node + // will be freed during CXFA_NodeHolder destruction (CXFA_Document + // destruction as the only implementation). This will happen after the + // CXFA_LayoutProcessor is destroyed in the CXFA_Document, leaving this as a + // bad unowned ptr. + CXFA_LayoutItem* layout_item_ = nullptr; std::unique_ptr map_module_data_; std::unique_ptr calc_data_; std::map method_specs_; -- cgit v1.2.3