PepperNetworkProxyHost does track proxy resolution requests correctly |
|
Issue descriptionFrom glancing at PepperNetworkProxyHost::TryToSendUnsentRequests() [1] and PepperNetworkProxyHost::OnResolveProxyCompleted() [2] It seems to be assuming that ProxyResolutionService::ResolveProxy() requests complete in FIFO order. That is incorrect, as neither the API for ResolveProxy(), nor its implementation, guarantee FIFO completion of requests. If the requests complete in a non-FIFO order this could result in a use-after-free from PepperNetworkProxyHost::~PepperNetworkProxyHost as it tries to cancel an already deleted request. [1] https://cs.chromium.org/chromium/src/content/browser/renderer_host/pepper/pepper_network_proxy_host.cc?sq=package:chromium&dr=CSs&l=151 [2] https://cs.chromium.org/chromium/src/content/browser/renderer_host/pepper/pepper_network_proxy_host.cc?sq=package:chromium&dr=CSs&l=165
,
Feb 8 2018
That's not great. On the other hand, they should be updated to use the Mojo proxy interface, anyways, so could just do both at the same time.
,
Feb 8 2018
This may also get cleaned up (if at least partially) by crbug.com/806097 (I noticed these problems while reviewing code for that - https://chromium-review.googlesource.com/c/chromium/src/+/887598). |
|
►
Sign in to add a comment |
|
Comment 1 Deleted