Per docs/dangling_ptr_guide.md, invoke `ClearAndDelete()` on
members rather than passing them to a bare `delete`.
- Use reference to avoid copy-constructing additional dangling ptrs.
- Use default member init and pack tighter on 64 bit platforms.
Change-Id: Id2153f092624f2ff76b3566b4a493cffd65d266e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4397638
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1126738}
This CL adjust the return type of Pickle::data() to be more friendly to
base::span. It also offers are casting helper, called data_as(), to
allow users of data to consume it as different types, in a more
ergonomic way.
Additionally, Pickle::ReadData is being changed to avoid the use of out
params, and rather provide its data through the return type.
Bug: 1420355
Change-Id: I0bfba0be3537285e08c301ce1dd137c4b5d9a9b0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4298216
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Claudio DeSouza <cdesouza@igalia.com>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1112314}
This enables MojoIpcz by default for most platforms, with or without an
initialized FeatureList.
Not enabled on macOS since that's controlled by an ongoing Finch
experiment. Not enabled on Chrome OS since that's delayed until some
more work can be done on the Chrome OS side.
This also fixes several small issues around the tree which were
surfaced by the Mojo impl change:
- ipc_tests and chrome_cleaner_unittests properly configure
broker/non-broker processes
- some blob storage tests pump tasks on teardown to avoid new leaks
- a now-invalid Mojo Java test has been deleted
- a global tracking table has added for internal ipcz API objects
and MojoIpcz driver objects to avoid LSan detection of existing
leaks in various test suites around the tree.
- stricter enforcement of platform handle serialization to
avoid situations where non-optional platform handle fields
were accepting null platform handles
- fixes to chrome_cleaner, and gfx tests, to address bad
platform handle usage
- fix to TransferableSocket mojom to make the internal handle
optional, since that's how it's used in practice.
Bug: 1299283,1415046
Change-Id: Ied45f4ac1c64753d204695f08852352d34aa367b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4240555
Reviewed-by: Ayu Ishii <ayui@chromium.org>
Reviewed-by: Joe Mason <joenotcharles@google.com>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1105863}
- Do not build all the ipc unittests for iOS since they largely require
multiprocess support.
- Separate the one file content/test needs out into a separate library
Bug: 1411704
Change-Id: I7edb42c18d1ad0a39001f33fa58bf6664b991999
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4240998
Reviewed-by: Ken Rockot <rockot@google.com>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1104324}
This CL adds compile-time checks that the size parameter passed
to base::span either by the constructor or the base::make_span
function will fit into a size_t type and are not unsigned.
This is achieved by use of base::StrictNumeric parameter to the
methods and constructor.
This has no runtime overhead, as the checks are done at compile
time.
This CL also contains all the remaining mechanical changes needed
to convert signed numeric literal values to unsigned by adding
a 'u' on the end. Any functional or more complex changes have
already landed in other CLs tagged to this bug with separate
owner review.
This CL also adds no-compile tests for the new APIs.
BUG=1385166
Change-Id: Ic2dbd950842dd811a8dc40ac539c8b824ed983a1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4219636
Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
Owners-Override: danakj <danakj@chromium.org>
Reviewed-by: danakj <danakj@chromium.org>
Commit-Queue: danakj <danakj@chromium.org>
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1102320}
For thread API conformance, a base::Thread must be
started/stopped/destructed on the same thread. For the IPC unit tests,
the IPC thread is created on the "listener" thread, and the CL
https://crrev.com/c/4116950 was created to ensure that the IPC thread
was also stopped/destroyed on the "listener" thread as well.
However, that CL introduced a race condition. The flow is like so:
1. Main thread attempts to shut down, but must block on the listener
thread, so it posts a task to the listener thread to finish up and
notify a sync wait event (for the listener thread) that the main
thread "waits" on
2. Listener thread must destroy the IPC thread, so it creates a sync
event and posts a task to the IPC thread to finish up and notify
the sync event
3. IPC thread finishes itself up, notifies the IPC event (that the
listener thread is waiting for) and then posts another task back to
the listener thread to notify the event (that the main thread is
waiting on) that it is finished
4. Back on the listener thread, which is now ublocked by the IPC
waitable event, the IPC thread is `reset()`/destructed
This means it is possible for the main thread to get notified about the
listener thread shutdown, at the same time the listener thread is
attempting to `reset()`/destroy the IPC thread, which is a race.
To fix this, we have to serialize the operations. The new flow is:
1. Main thread attempts to shut down, and blocks on the listener
thread's waitable event (just like before)
2. Listener thread creates an IPC waitable event, and posts a task to
the IPC thread to finish up and notify the IPC waitable event
3. Only when the IPC thread is finished, does the listener thread
destroy the IPC thread and notify the main thread that the listener
thread is finally done
This gives us the guarantee that when the listener event is finally
unblocked, and the main thread continues destruction, the IPC
base::Thread has already been `reset()`/destroyed, and there is no race
in destruction.
R=rockot@google.com
Bug: 1411770
Change-Id: I8f98cbf62a78ea363c6c67dc17ed424ee33cde05
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4210470
Reviewed-by: Ken Rockot <rockot@google.com>
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1099554}
This CL moves existing calls of UnguessableToken::Deserialize
to use the replacement method that returns an absl::optional
instead of an UnguessableToken directly. Once all calls have
been moved, the previous method will be removed and the new
method will be renamed to finish replacement.
There are three remaining Deserialize calls that we will replace
in follow-up CLs:
- `UnguessableTokenAndroid::FromJavaUnguessableToken` and
`PlatformHandleInternal::FromJavaUnguessableToken`, since we
will want these to return an absl::optional also
- `UnguessableToken::CreateForTesting`, since we won't update
that to return an absl::optional and will instead just crash
if high == 0 and low == 0 get passed.
Bug: 1402549
Change-Id: Ibea1abd9e11716f11fb127a6c42c6bfc756b79d4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4135540
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Andrew Williams <awillia@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1096142}
Add RAW_PTR_EXCLUSION to files in ipc/ media/ where the rewriter could not automatically rewrite.
Change was generated by processing the output of the rewriter.
Bug: 1273182
Change-Id: Ie25b66133c0e422f9e7c6bef601b518537c92684
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4173489
Owners-Override: Keishi Hattori <keishi@chromium.org>
Reviewed-by: Bartek Nowierski <bartekn@chromium.org>
Commit-Queue: Keishi Hattori <keishi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1094331}
Turns out there's a lot of includes, so these will have to be removed
before deleting the implementation of the task runner handles.
To allow the deletion of the task runner handle headers, add
the sequenced/thread task runner handles where they are used in
the codebase with scripts.
This was done with an automated change, with a few touchups afterwards.
The code for the mass-refactor changes are here:
python:
https://paste.googleplex.com/5534570878337024
shell:
https://paste.googleplex.com/6466750748033024
In terms of touchups:
- add sequenced/thread task runner handles to
the third_party/blink/public/DEPS, because multiple files were using
it transitively anyways.
- rewrite certain parts of the codebase which used
ThreadTaskRunnerHandles instead of CurrentDefaultHandles.
- fix a compile issue with forward-declaration in
extensions/browser/extension_file_task_runner.h.
AX-Relnotes: n/a.
Bug: 1026641
Change-Id: I737ef32aee4e77c21eaa3a2bdc403a28322cf1b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4133323
Owners-Override: Gabriel Charette <gab@chromium.org>
Commit-Queue: Sean Maher <spvw@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Reviewed-by: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1090532}
As per crbug.com/629139, base::Thread::Stop() is occasionally called on
a different thread than base::Thread::Start(). When you enable the
sequence checker DCHECK in Stop(), various tests fail, some of which are
the IPC unit tests. This is because those tests Start() the "ipc" thread
on the "listener" thread, but Stop() the "ipc" thread on the main thread
in the "Worker" destructor.
This CL makes the "listener" thread itself Stop()/destruct the "ipc"
thread, which is the "proper" usage of the base::Thread API.
Bug: 629139
Change-Id: Iccfa66b114518e50412a3d18f5fbc3d4d3bfd92f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4116950
Commit-Queue: Dominic Farolino <dom@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1088505}
Only receivers of bound arg UnsafeDangling should be enforced to receive
raw_ptr<T, MayDangle> as an argument. This will make it clearer that the
handled pointer might effectively be dangling and should not be trusted.
Bug: 1291138
Change-Id: If109264ed2e6c863354a5c8bc515b8b8d1d6886c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4056275
Reviewed-by: danakj <danakj@chromium.org>
Owners-Override: danakj <danakj@chromium.org>
Commit-Queue: danakj <danakj@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1085924}
If we use IPC_MESSAGE_HANDLER_WITH_PARAM_DELAY_REPLY inside an
IPC_BEGIN_MESSAGE_MAP_WITH_PARAM block,we get an compile error.
IPC_MESSAGE_HANDLER_WITH_PARAM_DELAY_REPLY is wrongly defined
because there are extra characters “/”
This CL fix that error.
BUG=1398425
Change-Id: I223e0780928e38ef8824f9c62c5541bd038f036d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4085582
Reviewed-by: Ken Rockot <rockot@google.com>
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1082526}
This is effectively dead code, enabled only by feature flags which must
be manually enabled and which were added for investigations that are
no longer being done. The feature flags are also removed.
Fixed: 1399511
Change-Id: I3e6462c728c1ee39848670a2bff4f29be61f1865
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4093879
Reviewed-by: Oksana Zhuravlova <oksamyt@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Commit-Queue: Ken Rockot <rockot@google.com>
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1082320}
It's no longer in use, and DictionaryValues are deprecated. Also update
tests not to use DictionaryValue or ListValue to construct lists and
dicts.
Bug: 1338341
Change-Id: I901807a2713bb6ff315d39810e09a166bd6d767e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4095134
Commit-Queue: Matt Menke <mmenke@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1082254}
This patch is a no-op with all the common build flags.
Add the "DanglingUntriaged" raw_ptr annotation. It indicates a raw_ptr
becomes dangling, and it should be triaged/fixed. This will also disable
dangling protection for those pointers, once enabled.
These were identified by running the linux-chromeos-rel CQ bot with DPD
activated (both build + runtime here: https://crrev.com/c/3941825)
Bug: 1291138
Change-Id: I0c1e264101adfb216581c75c93b76b2e3a08ac4d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4066015
Owners-Override: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Ali Hijazi <ahijazi@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1078042}
This patch is a no-op with all the common build flags.
Add the "DanglingUntriaged" raw_ptr annotation. It indicates a raw_ptr
becomes dangling, and it should be triaged/fixed. This will also disable
dangling protection for those pointers, once enabled.
These were identified by running the linux-rel CQ bot with DPD activated
(both build + runtime here: https://crrev.com/c/3941825)
Bug: 1291138
Change-Id: I5e7827e752455b94392184338789c8365fb1597a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4029142
Owners-Override: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Ali Hijazi <ahijazi@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1072120}
The changes were generated by running
tools/clang/rewrite_raw_ref_fields/rewrite-multiple-platforms.sh with
tool-arg=--enable_raw_ref_rewrite
`raw_ref` is a smart pointer for a pointer which can not be null, and
which provides Use-after-Free protection in the same ways as raw_ptr.
This class acts like a combination of std::reference_wrapper and
raw_ptr.
See raw_ptr and //base/memory/raw_ptr.md for more details on the
Use-after-Free protection.
Bug: 1357022
Change-Id: Ibcd714bd5a8e408aa31f07a04c5fc67f7eff4e3e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4001524
Owners-Override: danakj <danakj@chromium.org>
Reviewed-by: danakj <danakj@chromium.org>
Commit-Queue: danakj <danakj@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1069181}
This changes the default Mojo sync call behavior in the browser process
to prevent any blocking sync calls from being interrupted by other
incoming sync IPC dispatches.
Bug: 1376099
Change-Id: I53681ef379fdd3c2bfc37d7e16b3de17acad5d20
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3989408
Commit-Queue: Ken Rockot <rockot@google.com>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1065369}
This is a reland. It only adds macro check to disable
`BindUnretainedDanglingDeathTest.*` on Android.
Removing `DanglingUntriaged` from UnretainedWrapper is hard because
having a ptr being dangling is actually a feature for developers using
`Unretained`. To keep the benefits of having DPD on those, we chose to
make it a pointer not allowed to dangle only at invocation time.
This CL increases binary size, which is due to adding
`ReportIfDangling`.
Binary-Size: Size increase is unavoidable (see above).
Bug: 1291138
Change-Id: I22ad176eec2b19ce45e672d106842a5fbb4d8c9b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3916476
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Paul Semel <paulsemel@chromium.org>
Reviewed-by: danakj <danakj@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1052278}
Removing `DanglingUntriaged` from UnretainedWrapper is hard because
having a ptr being dangling is actually a feature for developers using
`Unretained`. To keep the benefits of having DPD on those, we chose to
make it a pointer not allowed to dangle only at invocation time.
This CL increases binary size, which is due to adding
`ReportPointeeAlive`.
Binary-Size: Size increase is unavoidable (see above).
Bug: 1291138
Change-Id: Ib794c3b85af6630ef4141c80ef32757a515170a8
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3829315
Reviewed-by: Sergei Glazunov <glazunov@google.com>
Owners-Override: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: danakj <danakj@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Commit-Queue: Paul Semel <paulsemel@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1050647}
These are all instances where the file is included erroneously.
There are also a few instances of a header including it, and then a
source file neglecting to because it was transiently included. These
have been fixed.
Bug: 1026641
Change-Id: I6beb9be69f7dd329bd2a210d51a8d9cc94787d0a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3891102
Auto-Submit: Sean Maher <spvw@chromium.org>
Commit-Queue: Gabriel Charette <gab@chromium.org>
Reviewed-by: Gabriel Charette <gab@chromium.org>
Owners-Override: Gabriel Charette <gab@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1047243}
This implements all IpczDriver API functions for the mojo-ipcz driver,
and registers the driver in ipc_tests so it gets coverage from ipcz
multinode tests.
This also mechanically shovels a bunch of code from PlatformChannel to
PlatformChannelEndpoint where it makes more sense and where it's needed
by the new test driver.
Bug: 1299283
Change-Id: Ib1df7017650b9378a82a87e3a9bf25d136558e99
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3822718
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1037869}
