Race between PrefService and PrefMember deletion in PrintingMessageFilter |
|||||
Issue descriptionVersion: Chromium master revision 3a87aecc (#433059) OS: Ubuntu 14.04 64-bit What steps will reproduce the problem? (1) Delete a Profile object What is the expected result? Chromium should not crash. What happens instead? PrintingMessageFilter uses std::unique_ptr<BooleanPrefMember, content::BrowserThread::DeleteOnUIThread>. The Profile object (and the PrefService that it owns) may be deleted on the UI thread before the PrefMember object is deleted on the UI thread due to the async execution of DeleteOnUIThread. This results in a heap-use-after-free when the PrefMember is deleted due to it referencing the (already deleted) PrefService. Please use labels and text to provide additional information. PrintingMessageFilter should be modified so that it: (1) Overrides OnDestruct() to delete the PrintingMessageFilter on the UI thread, and; (2) Does not store the BooleanPrefMember in a std::unique_ptr, and; (3) Uses KeyedServiceShutdownNotifier to call a ShutdownOnUIThread method when the associated Profile object is deleted. ShutdownOnUIThread then calls PrefMember::Detach(). After these changes it will not matter which is deleted first on the UI thread; the PrintingMessageFilter or the Profile. If the PrintingMessageFilter is deleted first then the PrefMember will be deleted via PrintingMessageFilter destruction. If the Profile is deleted first then PrefMember::Detach() will be called from ShutdownOnUIThread. See ShutdownNotifierFactory in extensions/browser/extension_message_filter.cc for an example of this design. Related discussion in https://groups.google.com/a/chromium.org/d/msg/chromium-dev/O1g0786S3ZY/KdCSFwRRBgAJ.
,
Nov 30 2016
,
Nov 30 2016
,
Dec 1 2016
,
Dec 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/654f42dca9af36fa50f097514a39e97682c27730 commit 654f42dca9af36fa50f097514a39e97682c27730 Author: rbpotter <rbpotter@chromium.org> Date: Fri Dec 02 22:17:07 2016 Fix heap use-after-free in PrintingMessageFilter Change PrintingMessageFilter and PluginInfoMessageFilter to use KeyedServiceShutdownNotifier. This prevents the warning on Chrome shutdown about pref observers due to PluginInfoMessageFilter not destroying the pref observers and prevents a possible use after free in PrintingMessageFilter if the Profile and PrefMember were deleted before the pointer to the PrefMember it was storing previously. BUG= 669289 Review-Url: https://codereview.chromium.org/2540253002 Cr-Commit-Position: refs/heads/master@{#436049} [modify] https://crrev.com/654f42dca9af36fa50f097514a39e97682c27730/chrome/browser/plugins/plugin_info_message_filter.cc [modify] https://crrev.com/654f42dca9af36fa50f097514a39e97682c27730/chrome/browser/plugins/plugin_info_message_filter.h [modify] https://crrev.com/654f42dca9af36fa50f097514a39e97682c27730/chrome/browser/printing/printing_message_filter.cc [modify] https://crrev.com/654f42dca9af36fa50f097514a39e97682c27730/chrome/browser/printing/printing_message_filter.h
,
Dec 2 2016
Thanks for fixing so quickly!
,
Dec 5 2016
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by weili@chromium.org
, Nov 29 2016