Commit 592b68f4 authored by Aaron Colwell's avatar Aaron Colwell Committed by Commit Bot

Crash if a BrowserContext is referenced by a RenderProcessHost at destruction.

Adding an extra sanity check in the BrowserContext destructor to
immediately terminate if we detect that a RenderProcessHost still
references the object being destroyed.


Bug: 1099998
Change-Id: I84af3b5d5f09274fa551b63903101ab5710d073d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2305674
Auto-Submit: Aaron Colwell <acolwell@chromium.org>
Reviewed-by: default avatarNasko Oskov <nasko@chromium.org>
Commit-Queue: Aaron Colwell <acolwell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791282}
parent f3b1091c
......@@ -464,6 +464,15 @@ BrowserContext::~BrowserContext() {
base::debug::DumpWithoutCrashing();
}
// Verify that there are no outstanding RenderProcessHosts that reference
// this context. Immediately crash if there are to avoid potential UAFs.
for (RenderProcessHost::iterator host_iterator =
RenderProcessHost::AllHostsIterator();
!host_iterator.IsAtEnd(); host_iterator.Advance()) {
RenderProcessHost* host = host_iterator.GetCurrentValue();
CHECK_NE(host->GetBrowserContext(), this);
}
// Clean up any isolated origins and other security state associated with this
// BrowserContext.
ChildProcessSecurityPolicyImpl* policy =
......
......@@ -555,8 +555,13 @@ class RenderWidgetHostViewAuraTest : public testing::Test {
void TearDownEnvironment() {
sink_ = nullptr;
process_host_ = nullptr;
if (view_)
if (view_) {
DestroyView(view_);
} else if (widget_host_) {
// Delete |widget_host_| in cases where |view_| gets destroyed
// by its parent, but the host does not get destroyed.
delete widget_host_;
}
parent_view_->Destroy();
delete parent_host_;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment