Mojo: Add another CHECK for debugging

BUG=740044 TBR=jcivelli@chromium.org Change-Id: Idaabb8ac8b1880987ab670bdde7216f06be88dee Reviewed-on: https://chromium-review.googlesource.com/601419Reviewed-by: Ken Rockot <rockot@chromium.org> Commit-Queue: Ken Rockot <rockot@chromium.org> Cr-Commit-Position: refs/heads/master@{#491943}

Mojo: Add another CHECK for debugging
BUG=740044 TBR=jcivelli@chromium.org Change-Id: Idaabb8ac8b1880987ab670bdde7216f06be88dee Reviewed-on: https://chromium-review.googlesource.com/601419Reviewed-by: Ken Rockot <rockot@chromium.org> Commit-Queue: Ken Rockot <rockot@chromium.org> Cr-Commit-Position: refs/heads/master@{#491943}
a512add2 · Ken Rockot · Commit Bot · ed3913b7 · a512add2
Commit a512add2 authored Aug 04, 2017 by Ken Rockot Committed by Commit Bot Aug 04, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

mojo/edk/system/watcher_dispatcher.cc mojo/edk/system/watcher_dispatcher.cc +16 -0

No files found.
--- a/mojo/edk/system/watcher_dispatcher.cc
+++ b/mojo/edk/system/watcher_dispatcher.cc
@@ -147,6 +147,22 @@ MojoResult WatcherDispatcher::WatchDispatcher(
    return rv;
  }

+  // TODO(crbug.com/740044): Perhaps the crash is caused by a racy use of
+  // watchers, which - while incorrect - should not in fact be able to crash at
+  // this layer.
+  //
+  // Hypothesis is that two threads are racing with one adding a watch and one
+  // closing the watcher handle. If the watcher handle is closed immediately
+  // before the AddWatcherRef() call above, |dispatcher| can retain an invalid
+  // pointer to this WatcherDispatcher indefinitely, leading to an eventual UAF
+  // if and when it tries to dispatch a notification.
+  //
+  // If such a race is indeed the sole source of crashes, all subsequent crash
+  // reports which would have come from Watch::NotifyState etc should instead
+  // fail the CHECK below.
+  base::AutoLock lock(lock_);
+  CHECK(!closed_);
+
  return MOJO_RESULT_OK;
 }