Chromium Code Reviews Chromium Code Reviews
Issue 888143003:
Fix a use after free crasher in the ReadAsync task initiated on Windows by the FileStream::Context:… (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/file_stream_context.h" | 5 #include "net/base/file_stream_context.h" |
| 6 | 6 |
| 7 #include <windows.h> | 7 #include <windows.h> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 34 SetOffset(overlapped, offset); | 34 SetOffset(overlapped, offset); |
| 35 } | 35 } |
| 36 | 36 |
| 37 } // namespace | 37 } // namespace |
| 38 | 38 |
| 39 FileStream::Context::Context(const scoped_refptr<base::TaskRunner>& task_runner) | 39 FileStream::Context::Context(const scoped_refptr<base::TaskRunner>& task_runner) |
| 40 : io_context_(), | 40 : io_context_(), |
| 41 async_in_progress_(false), | 41 async_in_progress_(false), |
| 42 orphaned_(false), | 42 orphaned_(false), |
| 43 task_runner_(task_runner), | 43 task_runner_(task_runner), |
| 44 weak_ptr_factory_(this) { | 44 async_read_initiated_(false), |
| 45 async_read_completed_(false), | |
| 46 io_complete_for_read_received_(false), | |
| 47 result_(0) { | |
| 45 io_context_.handler = this; | 48 io_context_.handler = this; |
| 46 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); | 49 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); |
| 47 } | 50 } |
| 48 | 51 |
| 49 FileStream::Context::Context(base::File file, | 52 FileStream::Context::Context(base::File file, |
| 50 const scoped_refptr<base::TaskRunner>& task_runner) | 53 const scoped_refptr<base::TaskRunner>& task_runner) |
| 51 : io_context_(), | 54 : io_context_(), |
| 52 file_(file.Pass()), | 55 file_(file.Pass()), |
| 53 async_in_progress_(false), | 56 async_in_progress_(false), |
| 54 orphaned_(false), | 57 orphaned_(false), |
| 55 task_runner_(task_runner), | 58 task_runner_(task_runner), |
| 56 weak_ptr_factory_(this) { | 59 async_read_initiated_(false), |
| 60 async_read_completed_(false), | |
| 61 io_complete_for_read_received_(false), | |
| 62 result_(0) { | |
| 57 io_context_.handler = this; | 63 io_context_.handler = this; |
| 58 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); | 64 memset(&io_context_.overlapped, 0, sizeof(io_context_.overlapped)); |
| 59 if (file_.IsValid()) { | 65 if (file_.IsValid()) { |
| 60 // TODO(hashimoto): Check that file_ is async. | 66 // TODO(hashimoto): Check that file_ is async. |
| 61 OnFileOpened(); | 67 OnFileOpened(); |
| 62 } | 68 } |
| 63 } | 69 } |
| 64 | 70 |
| 65 FileStream::Context::~Context() { | 71 FileStream::Context::~Context() { |
| 66 } | 72 } |
| 67 | 73 |
| 68 int FileStream::Context::Read(IOBuffer* buf, | 74 int FileStream::Context::Read(IOBuffer* buf, |
| 69 int buf_len, | 75 int buf_len, |
| 70 const CompletionCallback& callback) { | 76 const CompletionCallback& callback) { |
| 71 // TODO(vadimt): Remove ScopedTracker below once crbug.com/423948 is fixed. | 77 // TODO(vadimt): Remove ScopedTracker below once crbug.com/423948 is fixed. |
| 72 tracked_objects::ScopedTracker tracking_profile( | 78 tracked_objects::ScopedTracker tracking_profile( |
| 73 FROM_HERE_WITH_EXPLICIT_FUNCTION("423948 FileStream::Context::Read")); | 79 FROM_HERE_WITH_EXPLICIT_FUNCTION("423948 FileStream::Context::Read")); |
| 74 | 80 |
| 75 DCHECK(!async_in_progress_); | 81 DCHECK(!async_in_progress_); |
| 82 DCHECK(!async_read_initiated_); | |
| 83 DCHECK(!async_read_completed_); | |
| 84 DCHECK(!io_complete_for_read_received_); | |
| 76 | 85 |
| 77 IOCompletionIsPending(callback, buf); | 86 IOCompletionIsPending(callback, buf); |
| 78 | 87 |
|
rvargas (doing something else)
2015/02/06 00:07:02
nit: remove this line
ananta
2015/02/06 01:18:19
Done.
| |
| 79 base::WorkerPool::PostTask( | 88 async_read_initiated_ = true; |
| 89 | |
| 90 task_runner_->PostTask( | |
| 80 FROM_HERE, | 91 FROM_HERE, |
| 81 base::Bind(&FileStream::Context::ReadAsync, | 92 base::Bind(&FileStream::Context::ReadAsync, base::Unretained(this), |
| 82 weak_ptr_factory_.GetWeakPtr(), file_.GetPlatformFile(), | 93 file_.GetPlatformFile(), make_scoped_refptr(buf), buf_len, |
| 83 make_scoped_refptr(buf), buf_len, &io_context_.overlapped, | 94 &io_context_.overlapped, |
| 84 base::MessageLoop::current()->message_loop_proxy()), | 95 base::MessageLoop::current()->message_loop_proxy())); |
| 85 false); | |
| 86 | |
| 87 return ERR_IO_PENDING; | 96 return ERR_IO_PENDING; |
| 88 } | 97 } |
| 89 | 98 |
| 90 int FileStream::Context::Write(IOBuffer* buf, | 99 int FileStream::Context::Write(IOBuffer* buf, |
| 91 int buf_len, | 100 int buf_len, |
| 92 const CompletionCallback& callback) { | 101 const CompletionCallback& callback) { |
| 93 DWORD bytes_written = 0; | 102 DWORD bytes_written = 0; |
| 94 if (!WriteFile(file_.GetPlatformFile(), buf->data(), buf_len, | 103 if (!WriteFile(file_.GetPlatformFile(), buf->data(), buf_len, |
| 95 &bytes_written, &io_context_.overlapped)) { | 104 &bytes_written, &io_context_.overlapped)) { |
| 96 IOResult error = IOResult::FromOSError(GetLastError()); | 105 IOResult error = IOResult::FromOSError(GetLastError()); |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 133 } | 142 } |
| 134 | 143 |
| 135 void FileStream::Context::OnIOCompleted( | 144 void FileStream::Context::OnIOCompleted( |
| 136 base::MessageLoopForIO::IOContext* context, | 145 base::MessageLoopForIO::IOContext* context, |
| 137 DWORD bytes_read, | 146 DWORD bytes_read, |
| 138 DWORD error) { | 147 DWORD error) { |
| 139 DCHECK_EQ(&io_context_, context); | 148 DCHECK_EQ(&io_context_, context); |
| 140 DCHECK(!callback_.is_null()); | 149 DCHECK(!callback_.is_null()); |
| 141 DCHECK(async_in_progress_); | 150 DCHECK(async_in_progress_); |
| 142 | 151 |
| 143 async_in_progress_ = false; | 152 if (!async_read_initiated_) |
| 153 async_in_progress_ = false; | |
| 154 | |
| 144 if (orphaned_) { | 155 if (orphaned_) { |
| 156 async_in_progress_ = false; | |
| 145 callback_.Reset(); | 157 callback_.Reset(); |
| 146 in_flight_buf_ = NULL; | 158 in_flight_buf_ = NULL; |
| 147 CloseAndDelete(); | 159 CloseAndDelete(); |
| 148 return; | 160 return; |
| 149 } | 161 } |
| 150 | 162 |
| 151 int result; | 163 result_ = 0; |
|
rvargas (doing something else)
2015/02/06 00:07:02
nit: not needed
| |
| 152 if (error == ERROR_HANDLE_EOF) { | 164 if (error == ERROR_HANDLE_EOF) { |
| 153 result = 0; | 165 result_ = 0; |
| 154 } else if (error) { | 166 } else if (error) { |
| 155 IOResult error_result = IOResult::FromOSError(error); | 167 IOResult error_result = IOResult::FromOSError(error); |
| 156 result = static_cast<int>(error_result.result); | 168 result_ = static_cast<int>(error_result.result); |
| 157 } else { | 169 } else { |
| 158 result = bytes_read; | 170 result_ = bytes_read; |
| 159 IncrementOffset(&io_context_.overlapped, bytes_read); | 171 IncrementOffset(&io_context_.overlapped, bytes_read); |
| 160 } | 172 } |
| 161 | 173 |
| 174 if (async_read_initiated_) | |
| 175 io_complete_for_read_received_ = true; | |
| 176 | |
| 177 InvokeUserCallback(); | |
| 178 } | |
| 179 | |
| 180 void FileStream::Context::InvokeUserCallback() { | |
| 181 // For an asynchonous Read operation don't invoke the user callback until | |
| 182 // we receive the IO completion notification and the asynchronous Read | |
| 183 // completion notification. | |
| 184 if (async_read_initiated_) { | |
| 185 if (!io_complete_for_read_received_ || !async_read_completed_) | |
| 186 return; | |
| 187 async_read_initiated_ = false; | |
| 188 io_complete_for_read_received_ = false; | |
| 189 async_read_completed_ = false; | |
| 190 async_in_progress_ = false; | |
| 191 } | |
| 162 CompletionCallback temp_callback = callback_; | 192 CompletionCallback temp_callback = callback_; |
| 163 callback_.Reset(); | 193 callback_.Reset(); |
| 164 scoped_refptr<IOBuffer> temp_buf = in_flight_buf_; | 194 scoped_refptr<IOBuffer> temp_buf = in_flight_buf_; |
| 165 in_flight_buf_ = NULL; | 195 in_flight_buf_ = NULL; |
| 166 temp_callback.Run(result); | 196 temp_callback.Run(result_); |
| 167 } | 197 } |
| 168 | 198 |
| 169 // static | 199 // static |
| 170 void FileStream::Context::ReadAsync( | 200 void FileStream::Context::ReadAsync( |
| 171 const base::WeakPtr<FileStream::Context>& context, | 201 FileStream::Context* context, |
| 172 HANDLE file, | 202 HANDLE file, |
| 173 scoped_refptr<net::IOBuffer> buf, | 203 scoped_refptr<net::IOBuffer> buf, |
| 174 int buf_len, | 204 int buf_len, |
| 175 OVERLAPPED* overlapped, | 205 OVERLAPPED* overlapped, |
| 176 scoped_refptr<base::MessageLoopProxy> origin_thread_loop) { | 206 scoped_refptr<base::MessageLoopProxy> origin_thread_loop) { |
| 177 DWORD bytes_read = 0; | 207 DWORD bytes_read = 0; |
| 178 if (!ReadFile(file, buf->data(), buf_len, &bytes_read, overlapped)) { | 208 ReadFile(file, buf->data(), buf_len, &bytes_read, overlapped); |
|
rvargas (doing something else)
2015/02/06 00:07:02
if the function succeeds, pass bytes_read to the o
ananta
2015/02/06 01:18:19
Done.
| |
| 179 origin_thread_loop->PostTask( | 209 origin_thread_loop->PostTask( |
| 180 FROM_HERE, base::Bind(&FileStream::Context::ReadAsyncResult, context, | 210 FROM_HERE, base::Bind(&FileStream::Context::ReadAsyncResult, |
| 181 ::GetLastError())); | 211 base::Unretained(context), ::GetLastError())); |
| 182 } | |
| 183 } | 212 } |
| 184 | 213 |
| 185 void FileStream::Context::ReadAsyncResult(DWORD os_error) { | 214 void FileStream::Context::ReadAsyncResult(DWORD os_error) { |
| 186 IOResult error = IOResult::FromOSError(os_error); | 215 IOResult error = IOResult::FromOSError(os_error); |
| 187 if (error.os_error == ERROR_HANDLE_EOF) { | 216 if (error.os_error == ERROR_HANDLE_EOF) { |
| 188 // Report EOF by returning 0 bytes read. | 217 // Report EOF by returning 0 bytes read. |
| 189 OnIOCompleted(&io_context_, 0, error.os_error); | 218 OnIOCompleted(&io_context_, 0, error.os_error); |
| 190 } else if (error.os_error != ERROR_IO_PENDING) { | 219 } else if (error.os_error != ERROR_IO_PENDING) { |
| 191 // We don't need to inform the caller about ERROR_PENDING_IO as that was | 220 // We don't need to inform the caller about ERROR_PENDING_IO as that was |
| 192 // already done when the ReadFile call was queued to the worker pool. | 221 // already done when the ReadFile call was queued to the worker pool. |
| 193 if (error.os_error) | 222 if (error.os_error) { |
| 194 LOG(WARNING) << "ReadFile failed: " << error.os_error; | 223 LOG(WARNING) << "ReadFile failed: " << error.os_error; |
| 195 OnIOCompleted(&io_context_, 0, error.os_error); | 224 OnIOCompleted(&io_context_, 0, error.os_error); |
| 225 } | |
| 196 } | 226 } |
| 227 async_read_completed_ = true; | |
| 228 InvokeUserCallback(); | |
| 197 } | 229 } |
| 198 | 230 |
| 199 } // namespace net | 231 } // namespace net |
| OLD | NEW |
