Fix for bug 3347616, crash when closing browser with requests in flight

The problem is if a request is just started as the browser (or a tab)
is closed. That can give delete the scoped_refptr before the
refcount is increased on the IO thread.

Refcounted objects should not be passed as raw pointers between
threads.

Change-Id: I57a9b30f5fdfef3c6d45b81ea59a61f96b09e6ae

1 files changed, 6 insertions, 2 deletions

diff --git a/WebKit/android/WebCoreSupport/WebUrlLoaderClient.cpp b/WebKit/android/WebCoreSupport/WebUrlLoaderClient.cpp
index 02f4139..596128a 100644
--- a/WebKit/android/WebCoreSupport/WebUrlLoaderClient.cpp
+++ b/WebKit/android/WebCoreSupport/WebUrlLoaderClient.cpp
@@ -167,7 +167,8 @@ bool WebUrlLoaderClient::start(bool sync, WebRequestContext* context)
     m_sync = sync;
     if (m_sync) {
         AutoLock autoLock(*syncLock());
-        thread->message_loop()->PostTask(FROM_HERE, NewRunnableMethod(m_request.get(), &WebRequest::start, context));
+        m_request->setRequestContext(context);
+        thread->message_loop()->PostTask(FROM_HERE, NewRunnableMethod(m_request.get(), &WebRequest::start));
 
         // Run callbacks until the queue is exhausted and m_finished is true.
         while(!m_finished) {
@@ -186,7 +187,10 @@ bool WebUrlLoaderClient::start(bool sync, WebRequestContext* context)
         m_resourceHandle = 0;
     } else {
         // Asynchronous start.
-        thread->message_loop()->PostTask(FROM_HERE, NewRunnableMethod(m_request.get(), &WebRequest::start, context));
+        // Important to set this before the thread starts so it has a reference and can't be deleted
+        // before the task starts running on the IO thread.
+        m_request->setRequestContext(context);
+        thread->message_loop()->PostTask(FROM_HERE, NewRunnableMethod(m_request.get(), &WebRequest::start));
     }
     return true;
 }