Speculative fix for crash on MTP directory read.

Within MTPDeviceDelegateImplLinux::ReadDirectoryInternal, the call to PendingRequestDone at the end of the function allowed for another task to run and potentially delete the file_id from the cache prior to the directory listing being done. This would then cause a nullptr dereference in OnDidReadDirectory which expects the cache entry to exist. Since ReadDirectoryInternal is only run from a task, just continue the task instead of posting it to the request queue. BUG=817523 Change-Id: I9df651864ba1ef3c26365832b149871b027f99d5 Reviewed-on: https://chromium-review.googlesource.com/1195202Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Anand Mistry <amistry@chromium.org> Cr-Commit-Position: refs/heads/master@{#587857}

Speculative fix for crash on MTP directory read.
Within MTPDeviceDelegateImplLinux::ReadDirectoryInternal, the call to PendingRequestDone at the end of the function allowed for another task to run and potentially delete the file_id from the cache prior to the directory listing being done. This would then cause a nullptr dereference in OnDidReadDirectory which expects the cache entry to exist. Since ReadDirectoryInternal is only run from a task, just continue the task instead of posting it to the request queue. BUG=817523 Change-Id: I9df651864ba1ef3c26365832b149871b027f99d5 Reviewed-on: https://chromium-review.googlesource.com/1195202Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Anand Mistry <amistry@chromium.org> Cr-Commit-Position: refs/heads/master@{#587857}
897f35eb · Anand K. Mistry · Commit Bot · dd97101e · 897f35eb
Commit 897f35eb authored Aug 30, 2018 by Anand K. Mistry Committed by Commit Bot Aug 30, 2018
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 17 deletions

chrome/browser/media_galleries/chromeos/mtp_device_delegate_impl_chromeos.cc ...a_galleries/chromeos/mtp_device_delegate_impl_chromeos.cc +18 -17

No files found.
--- a/chrome/browser/media_galleries/chromeos/mtp_device_delegate_impl_chromeos.cc
+++ b/chrome/browser/media_galleries/chromeos/mtp_device_delegate_impl_chromeos.cc
@@ -955,9 +955,15 @@ void MTPDeviceDelegateImplLinux::ReadDirectoryInternal(
    const ReadDirectorySuccessCallback& success_callback,
    const ErrorCallback& error_callback) {
  DCHECK_CURRENTLY_ON(content::BrowserThread::IO);
+  DCHECK(task_in_progress_);

  base::Optional<uint32_t> dir_id = CachedPathToId(root);
-  if (dir_id) {
+  if (!dir_id) {
+    error_callback.Run(base::File::FILE_ERROR_NOT_FOUND);
+    PendingRequestDone();
+    return;
+  }
+
  GetFileInfoSuccessCallback success_callback_wrapper =
      base::Bind(&MTPDeviceDelegateImplLinux::OnDidGetFileInfoToReadDirectory,
                 weak_ptr_factory_.GetWeakPtr(), *dir_id, success_callback,
@@ -968,14 +974,9 @@ void MTPDeviceDelegateImplLinux::ReadDirectoryInternal(
  base::Closure closure =
      base::Bind(&GetFileInfoOnUIThread, storage_name_, read_only_, *dir_id,
                 success_callback_wrapper, error_callback_wrapper);
-    EnsureInitAndRunTask(PendingTaskInfo(base::FilePath(),
-                                         content::BrowserThread::UI,
-                                         FROM_HERE,
-                                         closure));
-  } else {
-    error_callback.Run(base::File::FILE_ERROR_NOT_FOUND);
-  }
-  PendingRequestDone();
+
+  content::BrowserThread::PostTask(content::BrowserThread::UI, FROM_HERE,
+                                   closure);
 }

 void MTPDeviceDelegateImplLinux::CreateSnapshotFileInternal(