Guard use of Chrome TLS in GlobalActivityTracker::GetOrCreateTracker.

The implementation of heap_profiling uses base::Lock. That uses GlobalActivityTracker::GetOrCreateTracker, which uses Chrome TLS. Since heap_profiling may be used post TLS destruction, all called code must also guard against use of Chrome TLS by checking base::ThreadLocalStorage::HasBeenDestroyed. Bug: 864589 Change-Id: I9b7b61d702a79062f847f17d18b6d30f3681b837 Reviewed-on: https://chromium-review.googlesource.com/1142347Reviewed-by: Gabriel Charette <gab@chromium.org> Commit-Queue: Erik Chen <erikchen@chromium.org> Cr-Commit-Position: refs/heads/master@{#576224}

Guard use of Chrome TLS in GlobalActivityTracker::GetOrCreateTracker.
The implementation of heap_profiling uses base::Lock. That uses GlobalActivityTracker::GetOrCreateTracker, which uses Chrome TLS. Since heap_profiling may be used post TLS destruction, all called code must also guard against use of Chrome TLS by checking base::ThreadLocalStorage::HasBeenDestroyed. Bug: 864589 Change-Id: I9b7b61d702a79062f847f17d18b6d30f3681b837 Reviewed-on: https://chromium-review.googlesource.com/1142347Reviewed-by: Gabriel Charette <gab@chromium.org> Commit-Queue: Erik Chen <erikchen@chromium.org> Cr-Commit-Position: refs/heads/master@{#576224}
fac6d427 · erikchen · Commit Bot · fc59e2b9 · fac6d427 · fac6d427
Commit fac6d427 authored Jul 18, 2018 by erikchen Committed by Commit Bot Jul 18, 2018
3 changed files
--- a/base/debug/activity_tracker.h
+++ b/base/debug/activity_tracker.h
@@ -860,6 +860,13 @@ class BASE_EXPORT GlobalActivityTracker {
      GlobalActivityTracker* global_tracker = Get();
      if (!global_tracker)
        return nullptr;
+      // It is not safe to use TLS once TLS has been destroyed. This can happen
+      // if code that runs late during thread destruction tries to use a
+      // base::Lock. See https://crbug.com/864589.
+      if (base::ThreadLocalStorage::HasBeenDestroyed())
+        return nullptr;
      if (lock_allowed)
        return global_tracker->GetOrCreateTrackerForCurrentThread();
      else

--- a/base/threading/thread_local_storage.h
+++ b/base/threading/thread_local_storage.h
@@ -30,6 +30,10 @@ namespace base {
 class SamplingHeapProfiler;
+namespace debug {
+class GlobalActivityTracker;
+}  // namespace debug
 namespace trace_event {
 class MallocDumpProvider;
 }  // namespace trace_event
@@ -160,6 +164,7 @@ class BASE_EXPORT ThreadLocalStorage {
  friend class base::SamplingHeapProfiler;
  friend class base::internal::ThreadLocalStorageTestInternal;
  friend class base::trace_event::MallocDumpProvider;
+  friend class debug::GlobalActivityTracker;
  friend class heap_profiling::ScopedAllowAlloc;
  friend class ui::TLSDestructionCheckerForX11;
  static bool HasBeenDestroyed();

--- a/components/services/heap_profiling/public/cpp/allocator_shim.cc
+++ b/components/services/heap_profiling/public/cpp/allocator_shim.cc
@@ -883,6 +883,9 @@ void AllocatorShimLogAlloc(AllocatorType type,
  }
 }
+// This function may be called post Chrome TLS destruction, so it must not use
+// Chrome TLS. It currently uses 3 classes from Chrome: base::Lock,
+// base::TimeTicks and base::ScopedPlatformFile, all of which are safe.
 void AllocatorShimLogFree(void* address) {
  SendBuffer* send_buffers = g_send_buffers.Read();
  if (!send_buffers)