|
|
Created:
5 years, 3 months ago by Anand Mistry (off Chromium) Modified:
5 years, 1 month ago CC:
chromium-reviews, gavinp+memory_chromium.org, chrome-apps-syd-reviews_chromium.org Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionCall reset(nullptr) in scoped_ptr's destructor.
This behaviour is consistent with libc++.
The original goal of this change is to make Chrome crash more often
and closer to the source when there's a use-after-free bug that
accesses a destroyed scoped_ptr.
BUG=535321
Committed: https://crrev.com/cf9db6ef148d1493dbf6bdc6693f9c79e3ac2afc
Cr-Commit-Position: refs/heads/master@{#357297}
Committed: https://crrev.com/7fa14e3f35b1be8476a2ac61cbad7f3e05a22a18
Cr-Commit-Position: refs/heads/master@{#357756}
Patch Set 1 #
Total comments: 5
Patch Set 2 : Set null before detete, and add test. #
Total comments: 4
Patch Set 3 : Rebase and change to reset(). #
Total comments: 5
Patch Set 4 : Comment update #Patch Set 5 : Rebase #Patch Set 6 : Rebase #Patch Set 7 : Rebase #Messages
Total messages: 48 (11 generated)
amistry@chromium.org changed reviewers: + danakj@chromium.org
This might be a bit contentious, but I'm sending it out anyways. Hopefully, this change will make Chrome more crashy when there's a use-after-free in some cases.
What does unique_ptr do? We should match that, since we'll be switching to use it soon.
On 2015/09/17 17:48:48, danakj wrote: > What does unique_ptr do? We should match that, since we'll be switching to use > it soon. I was expecting this to very much be in the neighbourhood of undefined behaviour. The spec (I read http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2012/n3337.pdf) doesn't appear to define this under unique_ptr. But both libc++ and gcc (4.8) set this to pointer() (which appears to be nullptr based on my reading of the spec and ) which is the default value of unique_ptr::reset() (libc++ calls reset() in the destructor, libstdc++ sets the value explicitly). So this change appears to be consistent with two implementations of the STL. I haven't checked MSVC.
https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h#ne... base/memory/scoped_ptr.h:228: data_.ptr = nullptr; In libc++ they null the member then call the deleter on a temp var: https://github.com/llvm-mirror/libcxx/blob/master/include/memory Shall we do the same?
https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h#ne... base/memory/scoped_ptr.h:228: data_.ptr = nullptr; On 2015/09/21 21:40:52, danakj wrote: > In libc++ they null the member then call the deleter on a temp var: > https://github.com/llvm-mirror/libcxx/blob/master/include/memory > > Shall we do the same? I guess that is because they reset() in the destructor instead of using another destructor. Perhaps we could call reset() in the scoped_ptr destructor and DCHECK that it's null here instead? Up to you.
https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h#ne... base/memory/scoped_ptr.h:228: data_.ptr = nullptr; On 2015/09/21 21:43:08, danakj wrote: > On 2015/09/21 21:40:52, danakj wrote: > > In libc++ they null the member then call the deleter on a temp var: > > https://github.com/llvm-mirror/libcxx/blob/master/include/memory > > > > Shall we do the same? > > I guess that is because they reset() in the destructor instead of using another > destructor. Perhaps we could call reset() in the scoped_ptr destructor and > DCHECK that it's null here instead? > > Up to you. Since we're in the territory of undefined behaviour (read [class.cdtor]), I think it's better to be explicit and well commented, so I'd like to keep the code as-is and not call reset(). Even though this is logically equivalent to calling reset(), I think some of the nuance of making this explicit might be lost.
The CQ bit was checked by amistry@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1356483002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1356483002/1
https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h#ne... base/memory/scoped_ptr.h:228: data_.ptr = nullptr; On 2015/09/22 01:13:53, Anand Mistry wrote: > On 2015/09/21 21:43:08, danakj wrote: > > On 2015/09/21 21:40:52, danakj wrote: > > > In libc++ they null the member then call the deleter on a temp var: > > > https://github.com/llvm-mirror/libcxx/blob/master/include/memory > > > > > > Shall we do the same? > > > > I guess that is because they reset() in the destructor instead of using > another > > destructor. Perhaps we could call reset() in the scoped_ptr destructor and > > DCHECK that it's null here instead? > > > > Up to you. > > Since we're in the territory of undefined behaviour (read [class.cdtor]), I > think it's better to be explicit and well commented, so I'd like to keep the > code as-is and not call reset(). Even though this is logically equivalent to > calling reset(), I think some of the nuance of making this explicit might be > lost. (drive-by): the null-before-delete strategy is to handle cycles - the call to delete above could conceivably destroy |this|, making the `data_.ptr = nullptr` step a UAF. However, the way to break a cycle is with reset() and reset() already has a null-before-delete. I couldn't contrive an example where a loop is created AND that loop can be broken via the destructor rather than with reset() (I think the only way to do this would be to semantically have a double-free, and trying to cater for it might turn a semantic double-free into a "safe-but-not-really" `delete nullptr`). So I don't *think* null-before-delete is needed here, and one could probably argue that for performance reasons it should be skipped. But there might be something I've missed.
https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h#ne... base/memory/scoped_ptr.h:228: data_.ptr = nullptr; On 2015/09/22 02:53:09, tapted wrote: > On 2015/09/22 01:13:53, Anand Mistry wrote: > > On 2015/09/21 21:43:08, danakj wrote: > > > On 2015/09/21 21:40:52, danakj wrote: > > > > In libc++ they null the member then call the deleter on a temp var: > > > > https://github.com/llvm-mirror/libcxx/blob/master/include/memory > > > > > > > > Shall we do the same? > > > > > > I guess that is because they reset() in the destructor instead of using > > another > > > destructor. Perhaps we could call reset() in the scoped_ptr destructor and > > > DCHECK that it's null here instead? > > > > > > Up to you. > > > > Since we're in the territory of undefined behaviour (read [class.cdtor]), I > > think it's better to be explicit and well commented, so I'd like to keep the > > code as-is and not call reset(). Even though this is logically equivalent to > > calling reset(), I think some of the nuance of making this explicit might be > > lost. > > (drive-by): the null-before-delete strategy is to handle cycles - the call to > delete above could conceivably destroy |this|, making the `data_.ptr = nullptr` > step a UAF. This is the defined behaviour for unique_ptr::reset for exactly the reason you state. > > However, the way to break a cycle is with reset() and reset() already has a > null-before-delete. I couldn't contrive an example where a loop is created AND > that loop can be broken via the destructor rather than with reset() (I think > the only way to do this would be to semantically have a double-free, and trying > to cater for it might turn a semantic double-free into a "safe-but-not-really" > `delete nullptr`). > > So I don't *think* null-before-delete is needed here, and one could probably > argue that for performance reasons it should be skipped. But there might be > something I've missed. But we're in the destructor here. Deleting |this| in the destructor is even more in the realm of undefined behaviour and itself a significant bug. If you run into a situation where the object's deleter deletes |this|, you also potentially have a double-free of |this|, aside from the potential use-after-free that is being introduced.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: win8_chromium_ng on tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win8_chromium_ng/...)
On 2015/09/22 02:53:10, tapted wrote: > https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h > File base/memory/scoped_ptr.h (right): > > https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h#ne... > base/memory/scoped_ptr.h:228: data_.ptr = nullptr; > On 2015/09/22 01:13:53, Anand Mistry wrote: > > On 2015/09/21 21:43:08, danakj wrote: > > > On 2015/09/21 21:40:52, danakj wrote: > > > > In libc++ they null the member then call the deleter on a temp var: > > > > https://github.com/llvm-mirror/libcxx/blob/master/include/memory > > > > > > > > Shall we do the same? > > > > > > I guess that is because they reset() in the destructor instead of using > > another > > > destructor. Perhaps we could call reset() in the scoped_ptr destructor and > > > DCHECK that it's null here instead? > > > > > > Up to you. > > > > Since we're in the territory of undefined behaviour (read [class.cdtor]), I > > think it's better to be explicit and well commented, so I'd like to keep the > > code as-is and not call reset(). Even though this is logically equivalent to > > calling reset(), I think some of the nuance of making this explicit might be > > lost. > > (drive-by): the null-before-delete strategy is to handle cycles - the call to > delete above could conceivably destroy |this|, making the `data_.ptr = nullptr` > step a UAF. > > However, the way to break a cycle is with reset() and reset() already has a > null-before-delete. I couldn't contrive an example where a loop is created AND > that loop can be broken via the destructor rather than with reset() (I think > the only way to do this would be to semantically have a double-free, and trying > to cater for it might turn a semantic double-free into a "safe-but-not-really" > `delete nullptr`). > > So I don't *think* null-before-delete is needed here, and one could probably > argue that for performance reasons it should be skipped. But there might be > something I've missed. Thanks! Those are good points, regarding destroying the scoped_ptr. I have a couple other reasons that null before delete seems right to me: 1. The object held by the scoped_ptr could in its destructor dereference the scoped_ptr holding it? It should be null there. 2. unique_ptr does this in libc++, let's not intentionally differ in behaviour from it.
On 2015/09/22 18:01:31, danakj wrote: > On 2015/09/22 02:53:10, tapted wrote: > > https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h > > File base/memory/scoped_ptr.h (right): > > > > > https://codereview.chromium.org/1356483002/diff/1/base/memory/scoped_ptr.h#ne... > > base/memory/scoped_ptr.h:228: data_.ptr = nullptr; > > On 2015/09/22 01:13:53, Anand Mistry wrote: > > > On 2015/09/21 21:43:08, danakj wrote: > > > > On 2015/09/21 21:40:52, danakj wrote: > > > > > In libc++ they null the member then call the deleter on a temp var: > > > > > https://github.com/llvm-mirror/libcxx/blob/master/include/memory > > > > > > > > > > Shall we do the same? > > > > > > > > I guess that is because they reset() in the destructor instead of using > > > another > > > > destructor. Perhaps we could call reset() in the scoped_ptr destructor and > > > > DCHECK that it's null here instead? > > > > > > > > Up to you. > > > > > > Since we're in the territory of undefined behaviour (read [class.cdtor]), I > > > think it's better to be explicit and well commented, so I'd like to keep the > > > code as-is and not call reset(). Even though this is logically equivalent to > > > calling reset(), I think some of the nuance of making this explicit might be > > > lost. > > > > (drive-by): the null-before-delete strategy is to handle cycles - the call to > > delete above could conceivably destroy |this|, making the `data_.ptr = > nullptr` > > step a UAF. > > > > However, the way to break a cycle is with reset() and reset() already has a > > null-before-delete. I couldn't contrive an example where a loop is created AND > > that loop can be broken via the destructor rather than with reset() (I think > > the only way to do this would be to semantically have a double-free, and > trying > > to cater for it might turn a semantic double-free into a "safe-but-not-really" > > `delete nullptr`). > > > > So I don't *think* null-before-delete is needed here, and one could probably > > argue that for performance reasons it should be skipped. But there might be > > something I've missed. > > Thanks! Those are good points, regarding destroying the scoped_ptr. I have a > couple other reasons that null before delete seems right to me: > > 1. The object held by the scoped_ptr could in its destructor dereference the > scoped_ptr holding it? It should be null there. This could even be unit testable, unless I'm totally wrong because it's in a destructor, but I don't think so? > 2. unique_ptr does this in libc++, let's not intentionally differ in behaviour > from it.
PTAL.
pkasting@chromium.org changed reviewers: + pkasting@chromium.org
https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.... base/memory/scoped_ptr.h:227: // references |this| after running the deleter. It looks like reset() was changed to an intermediate state that should flush out any bugs where code relied on the old ordering about 2.5 years ago. So it ought to be safe to go ahead and change reset()'s ordering to match libc++ now, close bug 176091, and then have this use reset() like libc++ does.
https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.... base/memory/scoped_ptr.h:227: // references |this| after running the deleter. On 2015/09/23 01:14:39, Peter Kasting wrote: > It looks like reset() was changed to an intermediate state that should flush out > any bugs where code relied on the old ordering about 2.5 years ago. So it ought > to be safe to go ahead and change reset()'s ordering to match libc++ now, close > bug 176091, and then have this use reset() like libc++ does. Despite being small, I think that's a significant enough change to deserve it's own CL.
https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.... base/memory/scoped_ptr.h:227: // references |this| after running the deleter. On 2015/09/23 01:44:52, Anand Mistry wrote: > On 2015/09/23 01:14:39, Peter Kasting wrote: > > It looks like reset() was changed to an intermediate state that should flush > out > > any bugs where code relied on the old ordering about 2.5 years ago. So it > ought > > to be safe to go ahead and change reset()'s ordering to match libc++ now, > close > > bug 176091, and then have this use reset() like libc++ does. > > Despite being small, I think that's a significant enough change to deserve it's > own CL. That's fine; why not do that first and then make a change to this function so you can move directly to that implementation?
I've rebased onto https://codereview.chromium.org/1358373002/ and changed the destructor to just call reset(), like libc++. https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.h File base/memory/scoped_ptr.h (right): https://codereview.chromium.org/1356483002/diff/20001/base/memory/scoped_ptr.... base/memory/scoped_ptr.h:227: // references |this| after running the deleter. On 2015/09/23 01:52:58, Peter Kasting wrote: > On 2015/09/23 01:44:52, Anand Mistry wrote: > > On 2015/09/23 01:14:39, Peter Kasting wrote: > > > It looks like reset() was changed to an intermediate state that should flush > > out > > > any bugs where code relied on the old ordering about 2.5 years ago. So it > > ought > > > to be safe to go ahead and change reset()'s ordering to match libc++ now, > > close > > > bug 176091, and then have this use reset() like libc++ does. > > > > Despite being small, I think that's a significant enough change to deserve > it's > > own CL. > > That's fine; why not do that first and then make a change to this function so > you can move directly to that implementation? Done.
LGTM
LGTM https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... File base/memory/scoped_ptr_unittest.cc (right): https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... base/memory/scoped_ptr_unittest.cc:721: // into the destructors of |a| and |a.b|. Note, deleting |a| instead will Nit: a.b -> a->b https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... base/memory/scoped_ptr_unittest.cc:723: // destructor. Nit: Maybe change this last sentence to the following, assuming it's accurate/you agree: Note that unless code actually calls a destructor directly like this, the only way to trigger this call chain normally would be to delete one of the pointers, which would cause a double-free. Still, a double-free (and then hopefully crash) is better than having the program hang.
https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... File base/memory/scoped_ptr_unittest.cc (right): https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... base/memory/scoped_ptr_unittest.cc:723: // destructor. On 2015/09/23 20:35:49, Peter Kasting wrote: > Nit: Maybe change this last sentence to the following, assuming it's > accurate/you agree: > > Note that unless code actually calls a destructor directly like this, the only > way to trigger this call chain normally would be to delete one of the pointers, > which would cause a double-free. Still, a double-free (and then hopefully > crash) is better than having the program hang. I think I prefer the original for a unit test comment.
Can you point this at BUG=535321 ?
https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... File base/memory/scoped_ptr_unittest.cc (right): https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... base/memory/scoped_ptr_unittest.cc:721: // into the destructors of |a| and |a.b|. Note, deleting |a| instead will On 2015/09/23 20:35:49, Peter Kasting wrote: > Nit: a.b -> a->b Done. https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... base/memory/scoped_ptr_unittest.cc:723: // destructor. On 2015/09/23 20:38:10, danakj wrote: > On 2015/09/23 20:35:49, Peter Kasting wrote: > > Nit: Maybe change this last sentence to the following, assuming it's > > accurate/you agree: > > > > Note that unless code actually calls a destructor directly like this, the only > > way to trigger this call chain normally would be to delete one of the > pointers, > > which would cause a double-free. Still, a double-free (and then hopefully > > crash) is better than having the program hang. > > I think I prefer the original for a unit test comment. danakj: Do you mean what I wrote, or what pkasting suggest?
On 2015/09/23 23:06:34, Anand Mistry wrote: > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > File base/memory/scoped_ptr_unittest.cc (right): > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > base/memory/scoped_ptr_unittest.cc:721: // into the destructors of |a| and > |a.b|. Note, deleting |a| instead will > On 2015/09/23 20:35:49, Peter Kasting wrote: > > Nit: a.b -> a->b > > Done. > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > base/memory/scoped_ptr_unittest.cc:723: // destructor. > On 2015/09/23 20:38:10, danakj wrote: > > On 2015/09/23 20:35:49, Peter Kasting wrote: > > > Nit: Maybe change this last sentence to the following, assuming it's > > > accurate/you agree: > > > > > > Note that unless code actually calls a destructor directly like this, the > only > > > way to trigger this call chain normally would be to delete one of the > > pointers, > > > which would cause a double-free. Still, a double-free (and then hopefully > > > crash) is better than having the program hang. > > > > I think I prefer the original for a unit test comment. > > danakj: Do you mean what I wrote, or what pkasting suggest? Pretty sure she liked yours. I think what I don't really like is that the comment in the implementation refers the reader to the unittest for detail, and then the unittest doesn't explain when this can happen and what the consequence is. Maybe the right fix is to instead put more detail in the implementation comment, then in the unittest refer the reader to that comment (if that's even necessary).
On Wed, Sep 23, 2015 at 4:08 PM, <pkasting@chromium.org> wrote: > On 2015/09/23 23:06:34, Anand Mistry wrote: > > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > >> File base/memory/scoped_ptr_unittest.cc (right): >> > > > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > >> base/memory/scoped_ptr_unittest.cc:721: // into the destructors of |a| and >> |a.b|. Note, deleting |a| instead will >> On 2015/09/23 20:35:49, Peter Kasting wrote: >> > Nit: a.b -> a->b >> > > Done. >> > > > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > >> base/memory/scoped_ptr_unittest.cc:723: // destructor. >> On 2015/09/23 20:38:10, danakj wrote: >> > On 2015/09/23 20:35:49, Peter Kasting wrote: >> > > Nit: Maybe change this last sentence to the following, assuming it's >> > > accurate/you agree: >> > > >> > > Note that unless code actually calls a destructor directly like this, >> the >> only >> > > way to trigger this call chain normally would be to delete one of the >> > pointers, >> > > which would cause a double-free. Still, a double-free (and then >> hopefully >> > > crash) is better than having the program hang. >> > >> > I think I prefer the original for a unit test comment. >> > > danakj: Do you mean what I wrote, or what pkasting suggest? >> > > Pretty sure she liked yours. > > I think what I don't really like is that the comment in the implementation > refers the reader to the unittest for detail, and then the unittest doesn't > explain when this can happen and what the consequence is. > > Maybe the right fix is to instead put more detail in the implementation > comment, > then in the unittest refer the reader to that comment (if that's even > necessary). > That sounds fine too. I'm ok as is as well. To unsubscribe from this group and stop receiving emails from it, send an email to chromium-reviews+unsubscribe@chromium.org.
On 2015/09/23 23:11:04, danakj wrote: > On Wed, Sep 23, 2015 at 4:08 PM, <mailto:pkasting@chromium.org> wrote: > > > On 2015/09/23 23:06:34, Anand Mistry wrote: > > > > > > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > > > >> File base/memory/scoped_ptr_unittest.cc (right): > >> > > > > > > > > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > > > >> base/memory/scoped_ptr_unittest.cc:721: // into the destructors of |a| and > >> |a.b|. Note, deleting |a| instead will > >> On 2015/09/23 20:35:49, Peter Kasting wrote: > >> > Nit: a.b -> a->b > >> > > > > Done. > >> > > > > > > > > > https://codereview.chromium.org/1356483002/diff/40001/base/memory/scoped_ptr_... > > > >> base/memory/scoped_ptr_unittest.cc:723: // destructor. > >> On 2015/09/23 20:38:10, danakj wrote: > >> > On 2015/09/23 20:35:49, Peter Kasting wrote: > >> > > Nit: Maybe change this last sentence to the following, assuming it's > >> > > accurate/you agree: > >> > > > >> > > Note that unless code actually calls a destructor directly like this, > >> the > >> only > >> > > way to trigger this call chain normally would be to delete one of the > >> > pointers, > >> > > which would cause a double-free. Still, a double-free (and then > >> hopefully > >> > > crash) is better than having the program hang. > >> > > >> > I think I prefer the original for a unit test comment. > >> > > > > danakj: Do you mean what I wrote, or what pkasting suggest? > >> > > > > Pretty sure she liked yours. > > > > I think what I don't really like is that the comment in the implementation > > refers the reader to the unittest for detail, and then the unittest doesn't > > explain when this can happen and what the consequence is. > > > > Maybe the right fix is to instead put more detail in the implementation > > comment, > > then in the unittest refer the reader to that comment (if that's even > > necessary). > > > > That sounds fine too. I'm ok as is as well. > > To unsubscribe from this group and stop receiving emails from it, send an email > to mailto:chromium-reviews+unsubscribe@chromium.org. I'll stick with as-is. The comment pointing at the test was intended as a pointer to an example, and not detailed documentation per-se.
The CQ bit was checked by amistry@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from danakj@chromium.org, pkasting@chromium.org Link to the patchset: https://codereview.chromium.org/1356483002/#ps80001 (title: "Rebase")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1356483002/80001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1356483002/80001
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_chromeos_ozone_rel_ng on tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
On 2015/09/24 03:44:19, commit-bot: I haz the power wrote: > Try jobs failed on following builders: > linux_chromium_chromeos_ozone_rel_ng on tryserver.chromium.linux (JOB_FAILED, > http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...) Ugh! Well, time to start hunting!
The CQ bit was checked by amistry@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from danakj@chromium.org, pkasting@chromium.org Link to the patchset: https://codereview.chromium.org/1356483002/#ps120001 (title: "Rebase")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1356483002/120001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1356483002/120001
Message was sent while issue was closed.
Committed patchset #7 (id:120001)
Message was sent while issue was closed.
Patchset 7 (id:??) landed as https://crrev.com/cf9db6ef148d1493dbf6bdc6693f9c79e3ac2afc Cr-Commit-Position: refs/heads/master@{#357297}
Message was sent while issue was closed.
A revert of this CL (patchset #7 id:120001) has been created in https://codereview.chromium.org/1417063006/ by perkj@chromium.org. The reason for reverting is: Sorry for reverting, I assume there is nothing really wrong with this cl but it breaks ToolbarControllerTest on Mac 10.10 and 10.11. http://build.chromium.org/p/chromium.mac/builders/Mac10.10%20Tests/builds/3607.
Message was sent while issue was closed.
Description was changed from ========== Call reset(nullptr) in scoped_ptr's destructor. This behaviour is consistent with libc++. The original goal of this change is to make Chrome crash more often and closer to the source when there's a use-after-free bug that accesses a destroyed scoped_ptr. BUG=535321 Committed: https://crrev.com/cf9db6ef148d1493dbf6bdc6693f9c79e3ac2afc Cr-Commit-Position: refs/heads/master@{#357297} ========== to ========== Call reset(nullptr) in scoped_ptr's destructor. This behaviour is consistent with libc++. The original goal of this change is to make Chrome crash more often and closer to the source when there's a use-after-free bug that accesses a destroyed scoped_ptr. BUG=535321 Committed: https://crrev.com/cf9db6ef148d1493dbf6bdc6693f9c79e3ac2afc Cr-Commit-Position: refs/heads/master@{#357297} ==========
FYI, as requested, re-opening and re-landing this CL.
On 2015/11/04 00:10:49, Anand Mistry wrote: > FYI, as requested, re-opening and re-landing this CL. sgtm, good luck to us all :)
The CQ bit was checked by amistry@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1356483002/120001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1356483002/120001
Message was sent while issue was closed.
Committed patchset #7 (id:120001)
Message was sent while issue was closed.
Patchset 7 (id:??) landed as https://crrev.com/7fa14e3f35b1be8476a2ac61cbad7f3e05a22a18 Cr-Commit-Position: refs/heads/master@{#357756} |