DescriptionFix a crash seen in ChromeFrame when opening a non CF top level tab from a CF page.
This was a regression caused by the fix for bug http://code.google.com/p/chromium/issues/detail?id=168308
which was to not invalidate the protocol sink mapping for CF pages which are switched in from IE.
The crash in this case occurs because the protocol sink mapping is removed in the call to IInternetProtocol::Terminate
as this is treated as a ChromeFrame request. This is only a temporary CF url which eventually transitions to
the actual URL which is opened in IE. For the curious we intercept IInternetProtocol::LockRequest and for
the special gcf://attach_external_tab requests we addref the protocol data and return without calling the original
LockRequest API. When UnlockRequest is invoked we rely on the protocol data mapping to exist to release the
protocol data and return without calling the original UnlockRequest API.
In this case the sequence is IInternetProtocol::LockRequest, IInternetProtocolRoot::Terminate followed by
IInternetProtocol::UnlockRequest. In our terminate handler we remove the protocol data mapping for the attach tab
request. When UnlockRequest is called we call the original API and end up crashing.
Fix is to not invalidate the protocol data mapping for attach tab requests.
A test for this is in the works by robertshield.
BUG=178415
R=robertshield
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=185956
Patch Set 1 #
Total comments: 2
Patch Set 2 : #
Total comments: 1
Messages
Total messages: 4 (0 generated)
|