chromium/src
0
Fork 0
Code Activity

Fix use-after-free in CoordinatorImplTest.

Browse Source 
The CoordinatorImpl creates a TracingObserverProto which registers
itself as a data source with PerfettoTracedProcess. However, the
worker thread owned by the TaskEnvironment may access the list of data
sources, which will lead to a use-after-free if the CoordinatorImpl
is destroyed before the TaskEnvironment. Fix the problem by destroying
the objects in the other order.

Found using the PartitionAlloc MTE support patch:
https://chromium-review.googlesource.com/c/chromium/src/+/2695355

Change-Id: I37b505601ec0c33355a3a27af211ed349ef65a1c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3050835
Reviewed-by: ssid <ssid@chromium.org>
Commit-Queue: Peter Collingbourne <pcc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#905378}
This commit is contained in:
Peter Collingbourne
2021-07-26 20:00:11 +00:00
committed by Chromium LUCI CQ
parent b38efab70f
commit e11f7e9962
1 changed files with 8 additions and 5 deletions

13
services/resource_coordinator/memory_instrumentation/coordinator_impl_unittest.cc

@ -73,9 +73,14 @@ class CoordinatorImplTest : public testing::Test {
void SetUp() override {
coordinator_ = std::make_unique<NiceMock<FakeCoordinatorImpl>>();
task_environment_ = std::make_unique<base::test::TaskEnvironment>(
base::test::SingleThreadTaskEnvironment::TimeSource::MOCK_TIME);
}
void TearDown() override { coordinator_.reset(); }
void TearDown() override {
task_environment_.reset();
coordinator_.reset();
}
void RegisterClientProcess(
mojo::PendingReceiver<mojom::Coordinator> receiver,
@ -132,9 +137,7 @@ class CoordinatorImplTest : public testing::Test {
protected:
std::unique_ptr<NiceMock<FakeCoordinatorImpl>> coordinator_;
base::test::TaskEnvironment task_environment_{
base::test::SingleThreadTaskEnvironment::TimeSource::MOCK_TIME};
std::unique_ptr<base::test::TaskEnvironment> task_environment_;
};
class MockClientProcess : public mojom::ClientProcess {
@ -304,7 +307,7 @@ TEST_F(CoordinatorImplTest, QueuedRequest) {
// This variable to be static as the lambda below has to convert to a function
// pointer rather than a functor.
static base::test::TaskEnvironment* task_environment = nullptr;
task_environment = &task_environment_;
task_environment = task_environment_.get();
NiceMock<MockClientProcess> client_process_1(this, 1,
mojom::ProcessType::BROWSER);