Remove destruction_indicator_ from QuicStreamSequencerBuffer.

Existing crashes are not use-after-free. The CHECK's haven't been triggered so far. Merge internal changelist: 204339592 R=zhongyi@chromium.org Change-Id: I2b0549aafff5f639a3a86803aef364dc8c4e059c Bug: 664200 Change-Id: I2b0549aafff5f639a3a86803aef364dc8c4e059c Reviewed-on: https://chromium-review.googlesource.com/1135871 Commit-Queue: Dan Zhang <danzh@chromium.org> Reviewed-by: Zhongyi Shi <zhongyi@chromium.org> Cr-Commit-Position: refs/heads/master@{#575074}

Remove destruction_indicator_ from QuicStreamSequencerBuffer.
Existing crashes are not use-after-free. The CHECK's haven't been triggered so far. Merge internal changelist: 204339592 R=zhongyi@chromium.org Change-Id: I2b0549aafff5f639a3a86803aef364dc8c4e059c Bug: 664200 Change-Id: I2b0549aafff5f639a3a86803aef364dc8c4e059c Reviewed-on: https://chromium-review.googlesource.com/1135871 Commit-Queue: Dan Zhang <danzh@chromium.org> Reviewed-by: Zhongyi Shi <zhongyi@chromium.org> Cr-Commit-Position: refs/heads/master@{#575074}
03bdd99f · Dan Zhang · Commit Bot · ad06a642 · 03bdd99f · 03bdd99f
Commit 03bdd99f authored Jul 13, 2018 by Dan Zhang Committed by Commit Bot Jul 13, 2018
2 changed files
--- a/net/third_party/quic/core/quic_stream_sequencer_buffer.cc
+++ b/net/third_party/quic/core/quic_stream_sequencer_buffer.cc
@@ -33,17 +33,12 @@ QuicStreamSequencerBuffer::QuicStreamSequencerBuffer(size_t max_capacity_bytes)
    : max_buffer_capacity_bytes_(max_capacity_bytes),
      blocks_count_(CalculateBlockCount(max_capacity_bytes)),
      total_bytes_read_(0),
-      blocks_(nullptr),
+      blocks_(nullptr) {
-      destruction_indicator_(123456) {
-  CHECK_GT(blocks_count_, 1u)
-      << "blocks_count_ = " << blocks_count_
-      << ", max_buffer_capacity_bytes_ = " << max_buffer_capacity_bytes_;
  Clear();
 }
 QuicStreamSequencerBuffer::~QuicStreamSequencerBuffer() {
  Clear();
-  destruction_indicator_ = 654321;
 }
 void QuicStreamSequencerBuffer::Clear() {
@@ -75,7 +70,6 @@ QuicErrorCode QuicStreamSequencerBuffer::OnStreamData(
    QuicStringPiece data,
    size_t* const bytes_buffered,
    QuicString* error_details) {
-  CHECK_EQ(destruction_indicator_, 123456) << "This object has been destructed";
  *bytes_buffered = 0;
  size_t size = data.size();
  if (size == 0) {
@@ -229,8 +223,6 @@ QuicErrorCode QuicStreamSequencerBuffer::Readv(const iovec* dest_iov,
                                               size_t dest_count,
                                               size_t* bytes_read,
                                               QuicString* error_details) {
-  CHECK_EQ(destruction_indicator_, 123456) << "This object has been destructed";
  *bytes_read = 0;
  for (size_t i = 0; i < dest_count && ReadableBytes() > 0; ++i) {
    char* dest = reinterpret_cast<char*>(dest_iov[i].iov_base);
@@ -287,8 +279,6 @@ QuicErrorCode QuicStreamSequencerBuffer::Readv(const iovec* dest_iov,
 int QuicStreamSequencerBuffer::GetReadableRegions(struct iovec* iov,
                                                  int iov_count) const {
-  CHECK_EQ(destruction_indicator_, 123456) << "This object has been destructed";
  DCHECK(iov != nullptr);
  DCHECK_GT(iov_count, 0);
@@ -358,8 +348,6 @@ void QuicStreamSequencerBuffer::Read(QuicString* buffer) {
 }
 bool QuicStreamSequencerBuffer::MarkConsumed(size_t bytes_used) {
-  CHECK_EQ(destruction_indicator_, 123456) << "This object has been destructed";
  if (bytes_used > ReadableBytes()) {
    return false;
  }

--- a/net/third_party/quic/core/quic_stream_sequencer_buffer.h
+++ b/net/third_party/quic/core/quic_stream_sequencer_buffer.h
@@ -223,11 +223,6 @@ class QUIC_EXPORT_PRIVATE QuicStreamSequencerBuffer {
  // Number of bytes in buffer.
  size_t num_bytes_buffered_;
-  // For debugging use after free, assigned to 123456 in constructor and 654321
-  // in destructor. As long as it's not 123456, this means either use after free
-  // or memory corruption.
-  int32_t destruction_indicator_;
  // Currently received data.
  QuicIntervalSet<QuicStreamOffset> bytes_received_;