Crash if a BrowserContext is referenced by a RenderProcessHost at destruction.

Adding an extra sanity check in the BrowserContext destructor to
immediately terminate if we detect that a RenderProcessHost still
references the object being destroyed.


Bug: 1099998
Change-Id: I84af3b5d5f09274fa551b63903101ab5710d073d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2305674
Auto-Submit: Aaron Colwell <acolwell@chromium.org>
Reviewed-by: Nasko Oskov <nasko@chromium.org>
Commit-Queue: Aaron Colwell <acolwell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791282}

content/browser/browser_context.cc

@@ -464,6 +464,15 @@ BrowserContext::~BrowserContext() {
     base::debug::DumpWithoutCrashing();
   }
 
+  // Verify that there are no outstanding RenderProcessHosts that reference
+  // this context. Immediately crash if there are to avoid potential UAFs.
+  for (RenderProcessHost::iterator host_iterator =
+           RenderProcessHost::AllHostsIterator();
+       !host_iterator.IsAtEnd(); host_iterator.Advance()) {
+    RenderProcessHost* host = host_iterator.GetCurrentValue();
+    CHECK_NE(host->GetBrowserContext(), this);
+  }
+
   // Clean up any isolated origins and other security state associated with this
   // BrowserContext.
   ChildProcessSecurityPolicyImpl* policy =

content/browser/renderer_host/render_widget_host_view_aura_unittest.cc

@@ -555,8 +555,13 @@ class RenderWidgetHostViewAuraTest : public testing::Test {
   void TearDownEnvironment() {
     sink_ = nullptr;
     process_host_ = nullptr;
-    if (view_)
+    if (view_) {
       DestroyView(view_);
+    } else if (widget_host_) {
+      // Delete |widget_host_| in cases where |view_| gets destroyed
+      // by its parent, but the host does not get destroyed.
+      delete widget_host_;
+    }
 
     parent_view_->Destroy();
     delete parent_host_;