Fix lifetime probe issue in CJX_Object
This CL removes the UnownedPtr to the CXFA_LayoutItem from CJX_Object.
This is because the CJX_Object will be destroyed by the CXFA_Node which
is destroyed in the CXFA_Document destructor (due to the vector of
unique_ptr being destroyed). The CXFA_LayoutItem will be freed in the
LayoutProcessor which also lives in the CXFA_Document.
Bug: chromium:807215
Change-Id: I86040e154ee2e5d461fc4d3565a10a9181680207
Reviewed-on: https://pdfium-review.googlesource.com/26851
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
diff --git a/fxjs/xfa/cjx_object.h b/fxjs/xfa/cjx_object.h
index e21a3ef..12b58b0 100644
--- a/fxjs/xfa/cjx_object.h
+++ b/fxjs/xfa/cjx_object.h
@@ -67,7 +67,7 @@
size_t GetCalcRecursionCount() const { return calc_recursion_count_; }
void SetLayoutItem(CXFA_LayoutItem* item) { layout_item_ = item; }
- CXFA_LayoutItem* GetLayoutItem() const { return layout_item_.Get(); }
+ CXFA_LayoutItem* GetLayoutItem() const { return layout_item_; }
bool HasMethod(const WideString& func) const;
CJS_Return RunMethod(const WideString& func,
@@ -272,7 +272,13 @@
void MoveBufferMapData(CXFA_Object* pDstModule);
UnownedPtr<CXFA_Object> object_;
- UnownedPtr<CXFA_LayoutItem> layout_item_;
+ // This is an UnownedPtr but, due to lifetime issues, can't be marked as such
+ // at this point. The CJX_Node is freed by its parent CXFA_Node. The CXFA_Node
+ // will be freed during CXFA_NodeHolder destruction (CXFA_Document
+ // destruction as the only implementation). This will happen after the
+ // CXFA_LayoutProcessor is destroyed in the CXFA_Document, leaving this as a
+ // bad unowned ptr.
+ CXFA_LayoutItem* layout_item_ = nullptr;
std::unique_ptr<XFA_MAPMODULEDATA> map_module_data_;
std::unique_ptr<CXFA_CalcData> calc_data_;
std::map<ByteString, CJX_MethodCall> method_specs_;
