Ensure that BrowserContext is not used after it has been freed

Previously, it was possible for the BrowserContext to be destroyed before ReportAnchorElementMetricsOnClick attempted to access it. The fix uses the fact that NavigationPredictor extends WebContentsObserver and checks that web_contents is still alive before dereferencing BrowserContext. WebContents will always outlive BrowserContext. R=lukasza@chromium.org, ryansturm@chromium.org (cherry picked from commit 7313a81) Bug: 1197904 Change-Id: Iee4f126e92670a84d57c7a4ec7d6f702fb975c7e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2821639 Reviewed-by: Ryan Sturm <ryansturm@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#872021} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2827043 Auto-Submit: Robert Ogden <robertogden@chromium.org> Commit-Queue: Ryan Sturm <ryansturm@chromium.org> Cr-Commit-Position: refs/branch-heads/4472@{#77} Cr-Branched-From: 3d60439-refs/heads/master@{#870763}
chromium · Apr 14, 2021 · f782a44 · f782a44
1 parent ee50502
commit f782a44
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -152,6 +152,7 @@ Bobby Powers <bobbypowers@gmail.com>
 Branden Archer <bma4@zips.uakron.edu>
 Brendan Kirby <brendan.kirby@imgtec.com>
 Brendan Long <self@brendanlong.com>
+Brendon Tiszka <btiszka@gmail.com>
 Brian Clifton <clifton@brave.com>
 Brian G. Merrell <bgmerrell@gmail.com>
 Brian Konzman, SJ <b.g.konzman@gmail.com>

diff --git a/chrome/browser/navigation_predictor/navigation_predictor.cc b/chrome/browser/navigation_predictor/navigation_predictor.cc
@@ -506,6 +506,9 @@ void NavigationPredictor::ReportAnchorElementMetricsOnClick(
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(base::FeatureList::IsEnabled(blink::features::kNavigationPredictor));
 
+  if (!web_contents())
+    return;
+
   if (browser_context_->IsOffTheRecord())
     return;
 
@@ -652,6 +655,9 @@ void NavigationPredictor::ReportAnchorElementMetricsOnLoad(
   // Each document should only report metrics once when page is loaded.
   DCHECK(navigation_scores_map_.empty());
 
+  if (!web_contents())
+    return;
+
   if (browser_context_->IsOffTheRecord())
     return;
 
@@ -897,6 +903,9 @@ void NavigationPredictor::MaybeTakeActionOnLoad(
 }
 
 void NavigationPredictor::MaybePrefetch() {
+  if (!web_contents())
+    return;
+
   // If prefetches aren't allowed here, this URL has already
   // been prefetched, or the current tab is hidden,
   // we shouldn't prefetch again.