Retain corresponding layoutitem in CXFA_FFWidget::LoadWidget().
Prevent destruction of |this| in CXFA_FFWidget::LoadWidget() and all of
its overrides.
Turns the bug in question from a last line of defense CHECK() failure to
an ObserverPtr nullptr dereference, due to unexpected object
destruction while observing it.
Bug: chromium:982193
Change-Id: I796905fc0b8bcb57d85b4a7c71c5836fb56f6911
Reviewed-on: https://pdfium-review.googlesource.com/c/pdfium/+/66750
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
diff --git a/xfa/fxfa/cxfa_ffbarcode.cpp b/xfa/fxfa/cxfa_ffbarcode.cpp
index 1c541ec..2cbe9d2 100644
--- a/xfa/fxfa/cxfa_ffbarcode.cpp
+++ b/xfa/fxfa/cxfa_ffbarcode.cpp
@@ -140,6 +140,10 @@
bool CXFA_FFBarcode::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNew = pdfium::MakeUnique<CFWL_Barcode>(GetFWLApp());
CFWL_Barcode* pFWLBarcode = pNew.get();
SetNormalWidget(std::move(pNew));
diff --git a/xfa/fxfa/cxfa_ffcheckbutton.cpp b/xfa/fxfa/cxfa_ffcheckbutton.cpp
index 1b022f6..5552cf0 100644
--- a/xfa/fxfa/cxfa_ffcheckbutton.cpp
+++ b/xfa/fxfa/cxfa_ffcheckbutton.cpp
@@ -32,6 +32,10 @@
bool CXFA_FFCheckButton::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNew = pdfium::MakeUnique<CFWL_CheckBox>(GetFWLApp());
CFWL_CheckBox* pCheckBox = pNew.get();
SetNormalWidget(std::move(pNew));
diff --git a/xfa/fxfa/cxfa_ffcombobox.cpp b/xfa/fxfa/cxfa_ffcombobox.cpp
index 522a0be..bf00c57 100644
--- a/xfa/fxfa/cxfa_ffcombobox.cpp
+++ b/xfa/fxfa/cxfa_ffcombobox.cpp
@@ -50,6 +50,10 @@
bool CXFA_FFComboBox::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNew = pdfium::MakeUnique<CFWL_ComboBox>(GetFWLApp());
CFWL_ComboBox* pComboBox = pNew.get();
SetNormalWidget(std::move(pNew));
diff --git a/xfa/fxfa/cxfa_ffdatetimeedit.cpp b/xfa/fxfa/cxfa_ffdatetimeedit.cpp
index 7017442..68c4d3e 100644
--- a/xfa/fxfa/cxfa_ffdatetimeedit.cpp
+++ b/xfa/fxfa/cxfa_ffdatetimeedit.cpp
@@ -43,6 +43,10 @@
bool CXFA_FFDateTimeEdit::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNewPicker = pdfium::MakeUnique<CFWL_DateTimePicker>(GetFWLApp());
CFWL_DateTimePicker* pWidget = pNewPicker.get();
SetNormalWidget(std::move(pNewPicker));
diff --git a/xfa/fxfa/cxfa_fffield.cpp b/xfa/fxfa/cxfa_fffield.cpp
index 2f2e366..f1438d5 100644
--- a/xfa/fxfa/cxfa_fffield.cpp
+++ b/xfa/fxfa/cxfa_fffield.cpp
@@ -145,6 +145,9 @@
}
bool CXFA_FFField::LoadWidget() {
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
SetFWLThemeProvider();
m_pNode->LoadCaption(GetDoc());
PerformLayout();
diff --git a/xfa/fxfa/cxfa_ffimage.cpp b/xfa/fxfa/cxfa_ffimage.cpp
index eeb0e24..2f77079 100644
--- a/xfa/fxfa/cxfa_ffimage.cpp
+++ b/xfa/fxfa/cxfa_ffimage.cpp
@@ -26,6 +26,9 @@
}
bool CXFA_FFImage::LoadWidget() {
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
if (GetNode()->GetImageImage())
return true;
diff --git a/xfa/fxfa/cxfa_ffimageedit.cpp b/xfa/fxfa/cxfa_ffimageedit.cpp
index 0c5e129..06171bc 100644
--- a/xfa/fxfa/cxfa_ffimageedit.cpp
+++ b/xfa/fxfa/cxfa_ffimageedit.cpp
@@ -32,6 +32,10 @@
bool CXFA_FFImageEdit::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNew = pdfium::MakeUnique<CFWL_PictureBox>(GetFWLApp());
CFWL_PictureBox* pPictureBox = pNew.get();
SetNormalWidget(std::move(pNew));
diff --git a/xfa/fxfa/cxfa_fflistbox.cpp b/xfa/fxfa/cxfa_fflistbox.cpp
index bb693bc..dd2fa3d 100644
--- a/xfa/fxfa/cxfa_fflistbox.cpp
+++ b/xfa/fxfa/cxfa_fflistbox.cpp
@@ -39,6 +39,10 @@
bool CXFA_FFListBox::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNew = pdfium::MakeUnique<CFWL_ListBox>(
GetFWLApp(), pdfium::MakeUnique<CFWL_WidgetProperties>(), nullptr);
CFWL_ListBox* pListBox = pNew.get();
diff --git a/xfa/fxfa/cxfa_ffnumericedit.cpp b/xfa/fxfa/cxfa_ffnumericedit.cpp
index d089178..bade8ee 100644
--- a/xfa/fxfa/cxfa_ffnumericedit.cpp
+++ b/xfa/fxfa/cxfa_ffnumericedit.cpp
@@ -24,6 +24,10 @@
bool CXFA_FFNumericEdit::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNewEdit = pdfium::MakeUnique<CFWL_Edit>(
GetFWLApp(), pdfium::MakeUnique<CFWL_WidgetProperties>(), nullptr);
CFWL_Edit* pWidget = pNewEdit.get();
diff --git a/xfa/fxfa/cxfa_ffpasswordedit.cpp b/xfa/fxfa/cxfa_ffpasswordedit.cpp
index 8019c5c..db95516 100644
--- a/xfa/fxfa/cxfa_ffpasswordedit.cpp
+++ b/xfa/fxfa/cxfa_ffpasswordedit.cpp
@@ -23,6 +23,10 @@
bool CXFA_FFPasswordEdit::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNewEdit = pdfium::MakeUnique<CFWL_Edit>(
GetFWLApp(), pdfium::MakeUnique<CFWL_WidgetProperties>(), nullptr);
CFWL_Edit* pWidget = pNewEdit.get();
diff --git a/xfa/fxfa/cxfa_ffpushbutton.cpp b/xfa/fxfa/cxfa_ffpushbutton.cpp
index 646cb8d..c803008 100644
--- a/xfa/fxfa/cxfa_ffpushbutton.cpp
+++ b/xfa/fxfa/cxfa_ffpushbutton.cpp
@@ -51,6 +51,10 @@
bool CXFA_FFPushButton::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNew = pdfium::MakeUnique<CFWL_PushButton>(GetFWLApp());
CFWL_PushButton* pPushButton = pNew.get();
m_pOldDelegate = pPushButton->GetDelegate();
diff --git a/xfa/fxfa/cxfa_ffsignature.cpp b/xfa/fxfa/cxfa_ffsignature.cpp
index d745094..a7dc173 100644
--- a/xfa/fxfa/cxfa_ffsignature.cpp
+++ b/xfa/fxfa/cxfa_ffsignature.cpp
@@ -18,6 +18,10 @@
bool CXFA_FFSignature::LoadWidget() {
ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
return CXFA_FFField::LoadWidget();
}
diff --git a/xfa/fxfa/cxfa_fftextedit.cpp b/xfa/fxfa/cxfa_fftextedit.cpp
index 4744212..6f8d732 100644
--- a/xfa/fxfa/cxfa_fftextedit.cpp
+++ b/xfa/fxfa/cxfa_fftextedit.cpp
@@ -43,9 +43,13 @@
}
bool CXFA_FFTextEdit::LoadWidget() {
+ ASSERT(!IsLoaded());
+
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
auto pNewWidget = pdfium::MakeUnique<CFWL_Edit>(
GetFWLApp(), pdfium::MakeUnique<CFWL_WidgetProperties>(), nullptr);
- ASSERT(!IsLoaded());
CFWL_Edit* pFWLEdit = pNewWidget.get();
SetNormalWidget(std::move(pNewWidget));
pFWLEdit->SetAdapterIface(this);
diff --git a/xfa/fxfa/cxfa_ffwidget.cpp b/xfa/fxfa/cxfa_ffwidget.cpp
index 62a5eda..b0c5ee6 100644
--- a/xfa/fxfa/cxfa_ffwidget.cpp
+++ b/xfa/fxfa/cxfa_ffwidget.cpp
@@ -319,6 +319,9 @@
}
bool CXFA_FFWidget::LoadWidget() {
+ // Prevents destruction of the CXFA_ContentLayoutItem that owns |this|.
+ RetainPtr<CXFA_ContentLayoutItem> retain_layout(m_pLayoutItem.Get());
+
PerformLayout();
return true;
}
