[cc/metrics] Fix UAF in ReportThroughputUkm

This CL fixes a use-after-free problem in the ThroughputUkmReporter::ReportThroughputUkm. The root cause of this problem is that the ThroughputUkmReporter is freed when this is getting called. Bug: 1105854, 1100868 Change-Id: I514a8012c10680734e97e14b0e731493e9e4eb7c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2300402Reviewed-by: vmpstr <vmpstr@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/heads/master@{#789053}

[cc/metrics] Fix UAF in ReportThroughputUkm
This CL fixes a use-after-free problem in the ThroughputUkmReporter::ReportThroughputUkm. The root cause of this problem is that the ThroughputUkmReporter is freed when this is getting called. Bug: 1105854, 1100868 Change-Id: I514a8012c10680734e97e14b0e731493e9e4eb7c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2300402Reviewed-by: vmpstr <vmpstr@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/heads/master@{#789053}
0d55b1d2 · Xida Chen · Commit Bot · 394eb5d1 · 0d55b1d2
Commit 0d55b1d2 authored Jul 16, 2020 by Xida Chen Committed by Commit Bot Jul 16, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 3 deletions

cc/metrics/frame_sequence_tracker_collection.h cc/metrics/frame_sequence_tracker_collection.h +11 -3

No files found.
--- a/cc/metrics/frame_sequence_tracker_collection.h
+++ b/cc/metrics/frame_sequence_tracker_collection.h
@@ -6,6 +6,8 @@
 #define CC_METRICS_FRAME_SEQUENCE_TRACKER_COLLECTION_H_
 #include <memory>
+#include <utility>
+#include <vector>
 #include "base/containers/flat_map.h"
 #include "base/optional.h"
@@ -139,6 +141,15 @@ class CC_EXPORT FrameSequenceTrackerCollection {
      FrameSequenceMetrics::ThroughputData throughput_data);
  const bool is_single_threaded_;
+  // The reporter takes throughput data and connect to UkmManager to report it.
+  // Note: this has to be before the frame_trackers_. The reason is that a
+  // FrameSequenceTracker owners a FrameSequenceMetrics, so the destructor of
+  // the former calls the destructor of the later. FrameSequenceMetrics's
+  // destructor calls its ReportMetrics() which requires
+  // |throughput_ukm_reporter_| to be alive. So putting it before
+  // |frame_trackers_| to ensure that it is destroyed after the tracker.
+  std::unique_ptr<ThroughputUkmReporter> throughput_ukm_reporter_;
  // The callsite can use the type to manipulate the tracker.
  base::flat_map<
      std::pair<FrameSequenceTrackerType, FrameSequenceMetrics::ThreadType>,
@@ -154,9 +165,6 @@ class CC_EXPORT FrameSequenceTrackerCollection {
  CompositorFrameReportingController* const
      compositor_frame_reporting_controller_;
-  // The reporter takes throughput data and connect to UkmManager to report it.
-  std::unique_ptr<ThroughputUkmReporter> throughput_ukm_reporter_;
  base::flat_map<
      std::pair<FrameSequenceTrackerType, FrameSequenceMetrics::ThreadType>,
      std::unique_ptr<FrameSequenceMetrics>>