From 5c3d5b0f9a9e651cdb194a35a8c32d1ab7e7d0ed Mon Sep 17 00:00:00 2001
From: Charles Kerr <charles@charleskerr.com>
Date: Tue, 23 Jan 2024 18:27:31 -0600
Subject: [PATCH] fix: dangling raw_ptr in OSRWHV destructor

`delegated_frame_host_` holds a pointer to `delegated_frame_host_client_`.
Since `delegated_frame_host_client_` was being destroyed first, that
pointer was dangling in the OSRWHV destructor.

Also, make these two unique_ptr fields `const` since they point to the
same objects for the lifespan of the OSRWHV.
---
 shell/browser/osr/osr_render_widget_host_view.cc | 13 ++++++-------
 shell/browser/osr/osr_render_widget_host_view.h  | 13 +++++++++----
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/shell/browser/osr/osr_render_widget_host_view.cc b/shell/browser/osr/osr_render_widget_host_view.cc
index 12e45ae544644..18804040a953b 100644
--- a/shell/browser/osr/osr_render_widget_host_view.cc
+++ b/shell/browser/osr/osr_render_widget_host_view.cc
@@ -187,6 +187,12 @@ OffScreenRenderWidgetHostView::OffScreenRenderWidgetHostView(
       frame_rate_(frame_rate),
       size_(initial_size),
       painting_(painting),
+      delegated_frame_host_client_{
+          std::make_unique<ElectronDelegatedFrameHostClient>(this)},
+      delegated_frame_host_{std::make_unique<content::DelegatedFrameHost>(
+          AllocateFrameSinkId(),
+          delegated_frame_host_client_.get(),
+          true /* should_register_frame_sink_id */)},
       cursor_manager_(std::make_unique<content::CursorManager>(this)),
       mouse_wheel_phase_handler_(this),
       backing_(std::make_unique<SkBitmap>()) {
@@ -205,12 +211,6 @@ OffScreenRenderWidgetHostView::OffScreenRenderWidgetHostView(
   compositor_allocator_.GenerateId();
   compositor_surface_id_ = compositor_allocator_.GetCurrentLocalSurfaceId();
 
-  delegated_frame_host_client_ =
-      std::make_unique<ElectronDelegatedFrameHostClient>(this);
-  delegated_frame_host_ = std::make_unique<content::DelegatedFrameHost>(
-      AllocateFrameSinkId(), delegated_frame_host_client_.get(),
-      true /* should_register_frame_sink_id */);
-
   root_layer_ = std::make_unique<ui::Layer>(ui::LAYER_SOLID_COLOR);
 
   bool opaque = SkColorGetA(background_color_) == SK_AlphaOPAQUE;
@@ -247,7 +247,6 @@ OffScreenRenderWidgetHostView::~OffScreenRenderWidgetHostView() {
         content::DelegatedFrameHost::HiddenCause::kOther);
   delegated_frame_host_->DetachFromCompositor();
 
-  delegated_frame_host_.reset();
   compositor_.reset();
   root_layer_.reset();
 }
diff --git a/shell/browser/osr/osr_render_widget_host_view.h b/shell/browser/osr/osr_render_widget_host_view.h
index fa3da326605a3..08169af63dfdb 100644
--- a/shell/browser/osr/osr_render_widget_host_view.h
+++ b/shell/browser/osr/osr_render_widget_host_view.h
@@ -279,17 +279,22 @@ class OffScreenRenderWidgetHostView : public content::RenderWidgetHostViewBase,
   viz::ParentLocalSurfaceIdAllocator compositor_allocator_;
 
   std::unique_ptr<ui::Layer> root_layer_;
+
+  // depends-on: root_layer_
   std::unique_ptr<ui::Compositor> compositor_;
-  std::unique_ptr<content::DelegatedFrameHost> delegated_frame_host_;
+
+  // depends-on: render_widget_host_, root_layer_
+  const std::unique_ptr<ElectronDelegatedFrameHostClient>
+      delegated_frame_host_client_;
+
+  // depends-on: delegated_frame_host_client_
+  const std::unique_ptr<content::DelegatedFrameHost> delegated_frame_host_;
 
   std::unique_ptr<content::CursorManager> cursor_manager_;
 
   raw_ptr<OffScreenHostDisplayClient> host_display_client_;
   std::unique_ptr<OffScreenVideoConsumer> video_consumer_;
 
-  std::unique_ptr<ElectronDelegatedFrameHostClient>
-      delegated_frame_host_client_;
-
   content::MouseWheelPhaseHandler mouse_wheel_phase_handler_;
 
   // Latest capture sequence number which is incremented when the caller