Fix off-by-1 OOB array access in task tracker.

Bug: 978888 Change-Id: Ib16b2e35c2f88e7f554611b21bda48857127c77c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1678937Reviewed-by: François Doray <fdoray@chromium.org> Reviewed-by: Gabriel Charette <gab@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#672696}

Fix off-by-1 OOB array access in task tracker.
Bug: 978888 Change-Id: Ib16b2e35c2f88e7f554611b21bda48857127c77c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1678937Reviewed-by: François Doray <fdoray@chromium.org> Reviewed-by: Gabriel Charette <gab@chromium.org> Commit-Queue: Chris Palmer <palmer@chromium.org> Cr-Commit-Position: refs/heads/master@{#672696}
3823cbf3 · Chris Palmer · Commit Bot · b320af60 · 3823cbf3 · 3823cbf3
Commit 3823cbf3 authored Jun 26, 2019 by Chris Palmer Committed by Commit Bot Jun 26, 2019
Showing with 16 additions and 8 deletions

base/task/task_traits.h base/task/task_traits.h +2 -0

base/task/thread_pool/task_tracker.cc base/task/thread_pool/task_tracker.cc +5 -3

base/task/thread_pool/task_tracker.h base/task/thread_pool/task_tracker.h +9 -5

No files found.
--- a/base/task/task_traits.h
+++ b/base/task/task_traits.h
@@ -66,6 +66,8 @@ enum class TaskPriority : uint8_t {
  HIGHEST = USER_BLOCKING
 };
+using TaskPriorityType = std::underlying_type<TaskPriority>::type;
 // Valid shutdown behaviors supported by the thread pool.
 enum class TaskShutdownBehavior : uint8_t {
  // Tasks posted with this mode which have not started executing before

--- a/base/task/thread_pool/task_tracker.cc
+++ b/base/task/thread_pool/task_tracker.cc
@@ -306,9 +306,11 @@ TaskTracker::TaskTracker(StringPiece histogram_label)
                             "UserBlockingTaskPriority_MayBlock")}},
      tracked_ref_factory_(this) {
  // Confirm that all |task_latency_histograms_| have been initialized above.
-  DCHECK(*(&task_latency_histograms_[static_cast<int>(TaskPriority::HIGHEST) +
+  for (TaskPriorityType i = 0; i < kNumTaskPriorities; ++i) {
-                                     1][0] -
+    for (TaskPriorityType j = 0; j < kNumBlockingModes; ++j) {
-           1));
+      DCHECK(task_latency_histograms_[i][j]);
+    }
+  }
 }
 TaskTracker::~TaskTracker() = default;

--- a/base/task/thread_pool/task_tracker.h
+++ b/base/task/thread_pool/task_tracker.h
@@ -281,12 +281,16 @@ class BASE_EXPORT TaskTracker {
  // blocking tasks. Intentionally leaked.
  // TODO(scheduler-dev): Consider using STATIC_HISTOGRAM_POINTER_GROUP for
  // these.
-  static constexpr int kNumTaskPriorities =
+  static constexpr auto kNumTaskPriorities =
-      static_cast<int>(TaskPriority::HIGHEST) + 1;
+      static_cast<TaskPriorityType>(TaskPriority::HIGHEST) + 1;
-  HistogramBase* const task_latency_histograms_[kNumTaskPriorities][2];
+  static constexpr TaskPriorityType kNumBlockingModes = 2;
-  HistogramBase* const heartbeat_latency_histograms_[kNumTaskPriorities][2];
+  HistogramBase* const task_latency_histograms_[kNumTaskPriorities]
+                                               [kNumBlockingModes];
+  HistogramBase* const heartbeat_latency_histograms_[kNumTaskPriorities]
+                                                    [kNumBlockingModes];
  HistogramBase* const
-      num_tasks_run_while_queuing_histograms_[kNumTaskPriorities][2];
+      num_tasks_run_while_queuing_histograms_[kNumTaskPriorities]
+                                             [kNumBlockingModes];
  // Ensures all state (e.g. dangling cleaned up workers) is coalesced before
  // destroying the TaskTracker (e.g. in test environments).