Discard invalid iterators in StartQueuedOperation that could cause crashes

Bug: 1015341 Change-Id: I711702f6e7ba4f5881bc227ab04f695e494c47fa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1868771 Auto-Submit: Fergus Dall <sidereal@google.com> Commit-Queue: Nicholas Verne <nverne@chromium.org> Reviewed-by: Nicholas Verne <nverne@chromium.org> Cr-Commit-Position: refs/heads/master@{#707705}

Discard invalid iterators in StartQueuedOperation that could cause crashes
Bug: 1015341 Change-Id: I711702f6e7ba4f5881bc227ab04f695e494c47fa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1868771 Auto-Submit: Fergus Dall <sidereal@google.com> Commit-Queue: Nicholas Verne <nverne@chromium.org> Reviewed-by: Nicholas Verne <nverne@chromium.org> Cr-Commit-Position: refs/heads/master@{#707705}
b11d4d2b · Fergus Dall · Commit Bot · a35c28a4 · b11d4d2b · b11d4d2b
Commit b11d4d2b authored Oct 21, 2019 by Fergus Dall Committed by Commit Bot Oct 21, 2019
2 changed files
--- a/chrome/browser/chromeos/crostini/crostini_package_service.cc
+++ b/chrome/browser/chromeos/crostini/crostini_package_service.cc
@@ -554,10 +554,14 @@ void CrostiniPackageService::StartQueuedOperation(
                                   PackageOperationStatus::SUCCEEDED, 100);
    }
-    // Clean up memory.
+    // As recursive calls to StartQueuedOperation might delete |uninstall_queue|
-    if (uninstall_queue.empty()) {
+    // and invalidate |uninstall_queue_iter| we must look it up again.
+    uninstall_queue_iter = queued_uninstalls_.find(container_id);
+    if (uninstall_queue_iter != queued_uninstalls_.end() &&
+        uninstall_queue_iter->second.empty()) {
+      // Clean up memory.
      queued_uninstalls_.erase(uninstall_queue_iter);
-      // Invalidates uninstall_queue.
+      // Invalidates |uninstall_queue_iter|.
    }
    return;
  }
@@ -590,10 +594,15 @@ void CrostiniPackageService::StartQueuedOperation(
                       weak_ptr_factory_.GetWeakPtr(), vm_name, container_name,
                       std::move(callback)));
-    // Clean up memory.
+    // InstallLinuxPackage shouldn't be able to recursively call this method,
-    if (install_queue.empty()) {
+    // but as future proofing consider |install_queue_iter| to be invalidated
+    // anyway.
+    install_queue_iter = queued_installs_.find(container_id);
+    if (install_queue_iter != queued_installs_.end() &&
+        install_queue_iter->second.empty()) {
+      // Clean up memory.
      queued_installs_.erase(install_queue_iter);
-      // Invalidates install_queue.
+      // Invalidates |install_queue_iter|.
    }
    return;
  }

--- a/chrome/browser/chromeos/crostini/crostini_package_service_unittest.cc
+++ b/chrome/browser/chromeos/crostini/crostini_package_service_unittest.cc
@@ -904,6 +904,8 @@ TEST_F(CrostiniPackageServiceTest, SecondUninstallStartsWhenFirstFails) {
 }
 TEST_F(CrostiniPackageServiceTest, DuplicateUninstallSucceeds) {
+  // Use three uninstalls as a regression test for crbug.com/1015341
+  service_->QueueUninstallApplication(kDefaultAppId);
  service_->QueueUninstallApplication(kDefaultAppId);
  service_->QueueUninstallApplication(kDefaultAppId);
@@ -921,6 +923,7 @@ TEST_F(CrostiniPackageServiceTest, DuplicateUninstallSucceeds) {
      Printable(notification_display_service_->GetDisplayedNotificationsForType(
          NotificationHandler::Type::TRANSIENT)),
      UnorderedElementsAre(IsUninstallSuccessNotification(DEFAULT_APP),
+                           IsUninstallSuccessNotification(DEFAULT_APP),
                           IsUninstallSuccessNotification(DEFAULT_APP)));
 }