mac: Fix an attachment broker race condition.

ipc/attachment_broker_privileged_mac.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef IPC_ATTACHMENT_BROKER_PRIVILEGED_MAC_H_
 #define IPC_ATTACHMENT_BROKER_PRIVILEGED_MAC_H_
 
 #include <mach/mach.h>
 #include <stdint.h>
 
@@ skipping 48 matching lines @@
       public base::PortProvider::Observer {
  public:
   explicit AttachmentBrokerPrivilegedMac(base::PortProvider* port_provider);
   ~AttachmentBrokerPrivilegedMac() override;
 
   // IPC::AttachmentBroker overrides.
   bool SendAttachmentToProcess(
       const scoped_refptr<IPC::BrokerableAttachment>& attachment,
       base::ProcessId destination_process) override;
   void DeregisterCommunicationChannel(Endpoint* endpoint) override;
+  void ReceivedPeerPid(base::ProcessId peer_pid) override;
 
   // IPC::Listener overrides.
   bool OnMessageReceived(const Message& message) override;
 
   // base::PortProvider::Observer override.
   void OnReceivedTaskPort(base::ProcessHandle process) override;
 
  private:
   FRIEND_TEST_ALL_PREFIXES(AttachmentBrokerPrivilegedMacMultiProcessTest,
                            InsertRight);
@@ skipping 81 matching lines @@
 
   // |wire_format.destination_process| must be another process.
   // |wire_format.mach_port| must be the intermediate Mach port.
   // Ownership of |wire_format.mach_port| is implicitly passed to the process
   // that receives the Chrome IPC message.
   // Returns |false| on irrecoverable error.
   bool RouteWireFormatToAnother(const MachPortWireFormat& wire_format);
 
   // Atempts to broker all precursors whose destination is |pid|. Has no effect
   // if |port_provider_| does not have the task port for |pid|.
-  void SendPrecursorsForProcess(base::ProcessId pid);
+  // If a communication channel has not been established from the destination
+  // process, and |store_on_failure| is true, then the precursor is kept for
+  // later reuse. If |store_on_failure| is false, then the precursor is deleted.
+  void SendPrecursorsForProcess(base::ProcessId pid, bool store_on_failure);
 
   // Brokers a single precursor into the task represented by |task_port|.
   // Returns |false| on irrecoverable error.
   bool SendPrecursor(AttachmentPrecursor* precursor, mach_port_t task_port);
 
   // Add a precursor to |precursors_|. Takes ownership of |port|.
   void AddPrecursor(base::ProcessId pid,
                     base::mac::ScopedMachSendRight port,
                     const BrokerableAttachment::AttachmentId& id);
 
   // Atempts to process all extractors whose source is |pid|. Has no effect
   // if |port_provider_| does not have the task port for |pid|.
-  void ProcessExtractorsForProcess(base::ProcessId pid);
+  // If a communication channel has not been established from the source
+  // process, and |store_on_failure| is true, then the extractor is kept for
+  // later reuse. If |store_on_failure| is false, then the extractor is deleted.
+  void ProcessExtractorsForProcess(base::ProcessId pid, bool store_on_failure);
 
   // Processes a single extractor whose source pid is represented by
   // |task_port|.
   void ProcessExtractor(AttachmentExtractor* extractor, mach_port_t task_port);
 
   // Add an extractor to |extractors_|.
   void AddExtractor(base::ProcessId source_pid,
                     base::ProcessId dest_pid,
                     mach_port_name_t port,
                     const BrokerableAttachment::AttachmentId& id);
@@ skipping 10 matching lines @@
   // processed.
   std::map<base::ProcessId, ScopedVector<AttachmentExtractor>*> extractors_;
   base::Lock extractors_lock_;
 
   DISALLOW_COPY_AND_ASSIGN(AttachmentBrokerPrivilegedMac);
 };
 
 }  // namespace IPC
 
 #endif  // IPC_ATTACHMENT_BROKER_PRIVILEGED_MAC_H_