Enable wexit_time_destructors config in device/fido code

Clean up existing exit time destructors and ensure this directory does
not add more going forward.

Bug: 101600
Low-Coverage-Reason: TRIVIAL_CHANGE just removing a static keyword
Change-Id: I1879359ffe63b1554cc7c41685057d1a9b286045
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4908405
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1207131}

device/fido/BUILD.gn

@@ -83,6 +83,8 @@ component("fido") {
     "//services/device/public/mojom",
   ]
 
+  configs += [ "//build/config/compiler:wexit_time_destructors" ]
+
   # Android implementation of FIDO is delegated to GMSCore.
   if (!is_android) {
     sources += [
@@ -322,6 +324,7 @@ static_library("cablev2_registration") {
     "//components/gcm_driver/instance_id",
     "//third_party/boringssl",
   ]
+  configs += [ "//build/config/compiler:wexit_time_destructors" ]
 }
 
 static_library("cablev2_authenticator") {
@@ -336,6 +339,7 @@ static_library("cablev2_authenticator") {
     "//content/public/common",  # for authenticator.mojom
     "//services/network/public/mojom",
   ]
+  configs += [ "//build/config/compiler:wexit_time_destructors" ]
 }
 
 static_library("cablev2_test_util") {

device/fido/cros/authenticator.cc

@@ -12,6 +12,7 @@
 #include "base/barrier_closure.h"
 #include "base/containers/span.h"
 #include "base/functional/bind.h"
+#include "base/no_destructor.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "chromeos/dbus/u2f/u2f_client.h"
@@ -66,9 +67,9 @@ AuthenticatorSupportedOptions ChromeOSAuthenticatorOptions(bool u2f_enabled) {
 }  // namespace
 
 const AuthenticatorSupportedOptions& ChromeOSAuthenticator::Options() const {
-  static const AuthenticatorSupportedOptions options =
-      ChromeOSAuthenticatorOptions(u2f_enabled_);
-  return options;
+  static const base::NoDestructor<AuthenticatorSupportedOptions> options(
+      ChromeOSAuthenticatorOptions(u2f_enabled_));
+  return *options;
 }
 
 absl::optional<FidoTransportProtocol>

device/fido/enclave/enclave_authenticator.cc

@@ -11,6 +11,7 @@
 #include "base/functional/bind.h"
 #include "base/functional/callback.h"
 #include "base/json/json_writer.h"
+#include "base/no_destructor.h"
 #include "base/ranges/algorithm.h"
 #include "components/device_event_log/device_event_log.h"
 #include "components/sync/protocol/webauthn_credential_specifics.pb.h"
@@ -212,9 +213,9 @@ std::string EnclaveAuthenticator::GetId() const {
 }
 
 const AuthenticatorSupportedOptions& EnclaveAuthenticator::Options() const {
-  static const AuthenticatorSupportedOptions options =
-      EnclaveAuthenticatorOptions();
-  return options;
+  static const base::NoDestructor<AuthenticatorSupportedOptions> options(
+      EnclaveAuthenticatorOptions());
+  return *options;
 }
 
 absl::optional<FidoTransportProtocol>

device/fido/enclave/enclave_discovery.cc

@@ -41,9 +41,9 @@ void EnclaveAuthenticatorDiscovery::AddAuthenticator() {
 
   // TODO(kenrb): These temporary hard-coded values will be replaced by real
   // values, plumbed from chrome layer.
-  static GURL localUrl = GURL("http://127.0.0.1:8880");
-  static char testUsername[] = "testuser";
-  static uint8_t peerPublicKey[kP256X962Length] = {
+  const GURL local_url = GURL("http://127.0.0.1:8880");
+  static const char test_username[] = "testuser";
+  static const uint8_t peer_public_key[kP256X962Length] = {
       4,   244, 60,  222, 80,  52,  238, 134, 185, 2,   84,  48,  248,
       87,  211, 219, 145, 204, 130, 45,  180, 44,  134, 205, 239, 90,
       127, 34,  229, 225, 93,  163, 51,  206, 28,  47,  134, 238, 116,
@@ -51,8 +51,8 @@ void EnclaveAuthenticatorDiscovery::AddAuthenticator() {
       179, 110, 145, 23,  34,  208, 25,  171, 184, 129, 14,  84,  80};
   std::vector<uint8_t> device_id = {1, 2, 3, 4};
   authenticator_ = std::make_unique<EnclaveAuthenticator>(
-      localUrl, peerPublicKey, std::move(passkeys_), std::move(device_id),
-      testUsername, EnclaveRequestSigningCallback());
+      local_url, peer_public_key, std::move(passkeys_), std::move(device_id),
+      test_username, EnclaveRequestSigningCallback());
   observer()->DiscoveryStarted(this, /*success=*/true, {authenticator_.get()});
 }
 

device/fido/mac/authenticator.mm

@@ -10,6 +10,7 @@
 #include "base/functional/bind.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
+#include "base/no_destructor.h"
 #include "base/strings/string_piece.h"
 #import "base/task/sequenced_task_runner.h"
 #include "base/task/sequenced_task_runner.h"
@@ -142,9 +143,9 @@ AuthenticatorSupportedOptions TouchIdAuthenticatorOptions() {
 }  // namespace
 
 const AuthenticatorSupportedOptions& TouchIdAuthenticator::Options() const {
-  static const AuthenticatorSupportedOptions options =
-      TouchIdAuthenticatorOptions();
-  return options;
+  static const base::NoDestructor<AuthenticatorSupportedOptions> options(
+      TouchIdAuthenticatorOptions());
+  return *options;
 }
 
 void TouchIdAuthenticator::GetTouch(base::OnceClosure callback) {

device/fido/mac/icloud_keychain.mm

@@ -12,6 +12,7 @@
 #include "base/functional/callback.h"
 #include "base/memory/scoped_refptr.h"
 #include "base/metrics/histogram_functions.h"
+#include "base/no_destructor.h"
 #include "base/notreached.h"
 #include "base/ranges/algorithm.h"
 #include "base/strings/string_number_conversions.h"
@@ -258,8 +259,9 @@ class API_AVAILABLE(macos(13.3)) Authenticator : public FidoAuthenticator {
   std::string GetId() const override { return "iCloudKeychain"; }
 
   const AuthenticatorSupportedOptions& Options() const override {
-    static const AuthenticatorSupportedOptions options = AuthenticatorOptions();
-    return options;
+    static const base::NoDestructor<AuthenticatorSupportedOptions> options(
+        AuthenticatorOptions());
+    return *options;
   }
 
   absl::optional<FidoTransportProtocol> AuthenticatorTransport()

device/fido/mac/icloud_keychain_sys.mm

@@ -8,6 +8,7 @@
 
 #include "base/functional/callback.h"
 #include "base/memory/scoped_refptr.h"
+#include "base/no_destructor.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/task/sequenced_task_runner.h"
 #include "components/device_event_log/device_event_log.h"
@@ -368,15 +369,15 @@ class API_AVAILABLE(macos(13.3)) NativeSystemInterface
 
 API_AVAILABLE(macos(13.3))
 scoped_refptr<SystemInterface> GetNativeSystemInterface() {
-  static scoped_refptr<SystemInterface> native_sys_interface =
-      base::MakeRefCounted<NativeSystemInterface>();
-  return native_sys_interface;
+  static base::NoDestructor<scoped_refptr<SystemInterface>>
+      native_sys_interface(base::MakeRefCounted<NativeSystemInterface>());
+  return *native_sys_interface;
 }
 
 API_AVAILABLE(macos(13.3))
 scoped_refptr<SystemInterface>& GetTestInterface() {
-  static scoped_refptr<SystemInterface> test_interface;
-  return test_interface;
+  static base::NoDestructor<scoped_refptr<SystemInterface>> test_interface;
+  return *test_interface;
 }
 
 }  // namespace

device/fido/win/type_conversions.cc

@@ -8,7 +8,7 @@
 #include <string>
 #include <vector>
 
-#include "base/containers/contains.h"
+#include "base/containers/fixed_flat_map.h"
 #include "base/containers/span.h"
 #include "base/logging.h"
 #include "base/numerics/safe_conversions.h"
@@ -282,7 +282,7 @@ uint32_t ToWinLargeBlobSupport(LargeBlobSupport large_blob_support) {
 }
 
 CtapDeviceResponseCode WinErrorNameToCtapDeviceResponseCode(
-    const std::u16string& error_name) {
+    std::u16string_view error_name) {
   // See WebAuthNGetErrorName in <webauthn.h> for these string literals.
   //
   // Note that the set of errors that browser are allowed to return in a
@@ -291,8 +291,8 @@ CtapDeviceResponseCode WinErrorNameToCtapDeviceResponseCode(
   // permissible errors are "InvalidStateError" (aka CREDENTIAL_EXCLUDED in
   // Chromium code) and "NotAllowedError". Hence, we can collapse the set of
   // Windows errors to a smaller set of CtapDeviceResponseCodes.
-  static base::flat_map<std::u16string, CtapDeviceResponseCode>
-      kResponseCodeMap({
+  constexpr auto kResponseCodeMap =
+      base::MakeFixedFlatMap<std::u16string_view, CtapDeviceResponseCode>({
           {u"Success", CtapDeviceResponseCode::kSuccess},
           {u"InvalidStateError",
            CtapDeviceResponseCode::kCtap2ErrCredentialExcluded},
@@ -304,11 +304,12 @@ CtapDeviceResponseCode WinErrorNameToCtapDeviceResponseCode(
            CtapDeviceResponseCode::kCtap2ErrOperationDenied},
           {u"UnknownError", CtapDeviceResponseCode::kCtap2ErrOperationDenied},
       });
-  if (!base::Contains(kResponseCodeMap, error_name)) {
+  const auto* it = kResponseCodeMap.find(error_name);
+  if (it == kResponseCodeMap.end()) {
     FIDO_LOG(ERROR) << "Unexpected error name: " << error_name;
     return CtapDeviceResponseCode::kCtap2ErrOperationDenied;
   }
-  return kResponseCodeMap[error_name];
+  return it->second;
 }
 
 COMPONENT_EXPORT(DEVICE_FIDO)

device/fido/win/type_conversions.h

@@ -66,7 +66,7 @@ uint32_t ToWinLargeBlobSupport(LargeBlobSupport large_blob_support);
 // WinCtapDeviceResponseCodeTo{MakeCredential,GetAssertion}Status().
 COMPONENT_EXPORT(DEVICE_FIDO)
 CtapDeviceResponseCode WinErrorNameToCtapDeviceResponseCode(
-    const std::u16string& error_name);
+    std::u16string_view error_name);
 
 // WinCtapDeviceResponseCodeToMakeCredentialStatus returns the
 // MakeCredentialStatus that corresponds to a synthetic CtapDeviceResponseCode

device/fido/win/webauthn_api.cc

@@ -31,7 +31,7 @@ namespace device {
 
 namespace {
 
-raw_ptr<WinWebAuthnApi> g_api_override = nullptr;
+WinWebAuthnApi* g_api_override = nullptr;
 
 // Time out all Windows API requests after 5 minutes. We maintain our own
 // timeout and cancel the operation when it expires, so this value simply needs