From 301bd8aec0069d9fe2a830e3fca76f20a90c5061 Mon Sep 17 00:00:00 2001
From: loc <andy@slack-corp.com>
Date: Fri, 10 Jan 2020 15:59:50 -0800
Subject: [PATCH] fix: avoid contextBridge double free on garbage collection
 (#21592)

* fix: reset next/prev pointers for life-monitored nodes

* fix: don't double-delete nodes in a linked list
---
 .../context_bridge/render_frame_context_bridge_store.cc   | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/shell/renderer/api/context_bridge/render_frame_context_bridge_store.cc b/shell/renderer/api/context_bridge/render_frame_context_bridge_store.cc
index eb826bac75360..16e14a3c15d50 100644
--- a/shell/renderer/api/context_bridge/render_frame_context_bridge_store.cc
+++ b/shell/renderer/api/context_bridge/render_frame_context_bridge_store.cc
@@ -47,9 +47,11 @@ class CachedProxyLifeMonitor final : public ObjectLifeMonitor {
     }
     if (node_->prev) {
       node_->prev->next = node_->next;
+      node_->prev = nullptr;
     }
     if (node_->next) {
       node_->next->prev = node_->prev;
+      node_->next = nullptr;
     }
     if (!node_->prev && !node_->next) {
       // Must be a single length linked list
@@ -76,11 +78,7 @@ WeakGlobalPairNode::WeakGlobalPairNode(WeakGlobalPair pair) {
   this->pair = std::move(pair);
 }
 
-WeakGlobalPairNode::~WeakGlobalPairNode() {
-  if (next) {
-    delete next;
-  }
-}
+WeakGlobalPairNode::~WeakGlobalPairNode() {}
 
 RenderFramePersistenceStore::RenderFramePersistenceStore(
     content::RenderFrame* render_frame)