Shutdown StoragePartition before ProfileIOData is being shut down

Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference
ResourceContext (which is owned by ProfileIOData in chromium cases) even after
ResourceContext is destroyed, so it could easily lead to U-A-F.  This happens
because StoragePartitions are destroyed in BrowserContext's dtor, while
ProfileIOData and any other objects that are managed/owned by BrowserContext's
subclasses are usually destroyed earlier than that (i.e. their destructors run
before the base class's one).

This change tries to add a new explicit method,
BrowserContext::ShutdownStoragePartitions, and let embedders call it before
the embedders are going to destroy/shutdown their own objects (which include
ResourceContext), so that content modules can safely assume they can
dereference those objects while its StoragePartition's still there.

BUG=529896
Committed: https://crrev.com/f6ed359c6f34261f93f3ac5431c7f7526d500262
Cr-Commit-Position: refs/heads/master@{#407781}

[kinuko, 2016-07-19 08:38:35]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[kinuko, 2016-07-19 08:38:51]

Description was changed from

==========
Shutdown StoragePartition before ProfileIOData is being shut down

BUG=529896
==========

to

==========
Shutdown StoragePartition before ProfileIOData is being shut down

BUG=529896
==========

[kinuko, 2016-07-19 08:38:51]

kinuko@chromium.org changed reviewers:
+ mmenke@chromium.org

[commit-bot: I haz the power, 2016-07-19 08:38:57]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-19 12:20:57]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-19 12:20:58]

Dry run: This issue passed the CQ dry run.

[kinuko, 2016-07-19 13:03:04]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-19 13:03:30]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-19 13:25:46]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-19 13:25:47]

Dry run: Try jobs failed on following builders:
  cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)

[kinuko, 2016-07-19 13:53:25]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-19 13:53:51]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[kinuko, 2016-07-19 14:03:46]

Description was changed from

==========
Shutdown StoragePartition before ProfileIOData is being shut down

BUG=529896
==========

to

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

BUG=529896
==========

[kinuko, 2016-07-19 14:23:14]

Matt- can you take a look when you have time?  What do you think?

[commit-bot: I haz the power, 2016-07-19 14:23:34]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-19 14:23:35]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-19 14:26:24]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[kinuko, 2016-07-19 14:26:32]

Patchset #3 (id:40001) has been deleted

[commit-bot: I haz the power, 2016-07-19 14:26:50]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-19 15:01:54]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-19 15:01:55]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[mmenke, 2016-07-19 17:55:20]

https://codereview.chromium.org/2159133002/diff/60001/chrome/browser/profiles...
File chrome/browser/profiles/profile_impl_io_data.cc (right):

https://codereview.chromium.org/2159133002/diff/60001/chrome/browser/profiles...
chrome/browser/profiles/profile_impl_io_data.cc:119:
profile_->ShutdownStoragePartitions();
This doesn't seem like a good place for this - this method is implicitly called
during ProfileImpl's destructor, and calling a Profile method from an implicitly
called destructor seems like a bad idea.

I don't suppose we can just explicitly call ShutdownStoragePartitions() at the
end of ProfileImpl's destructor instead?

https://codereview.chromium.org/2159133002/diff/60001/content/browser/browser...
File content/browser/browser_context.cc (right):

https://codereview.chromium.org/2159133002/diff/60001/content/browser/browser...
content/browser/browser_context.cc:500:
RemoveUserData(kStoragePartitionMapKeyName);
Storage partitions are stored as user data attached to the BrowserContext?  I
don't suppose there are plans to change that?

[kinuko, 2016-07-20 03:07:20]

Patchset #4 (id:80001) has been deleted

[kinuko, 2016-07-20 03:10:19]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 03:10:50]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-20 03:55:40]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 03:55:41]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-20 07:33:42]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 07:34:01]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-20 08:03:12]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 08:03:13]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-20 09:18:28]

Patchset #5 (id:120001) has been deleted

[kinuko, 2016-07-20 09:18:50]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 09:19:03]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-20 10:41:05]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 10:41:06]

Dry run: Try jobs failed on following builders:
  linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-20 15:29:57]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 15:30:16]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-20 15:46:50]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 15:46:51]

Dry run: Try jobs failed on following builders:
  android_arm64_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_arm6...)
  linux_android_rel_ng on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/linux_androi...)
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-20 15:50:58]

Patchset #6 (id:160001) has been deleted

[kinuko, 2016-07-20 15:53:46]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 15:54:19]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-20 16:07:45]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 16:07:46]

Dry run: Try jobs failed on following builders:
  android_arm64_dbg_recipe on master.tryserver.chromium.android (JOB_FAILED,
https://build.chromium.org/p/tryserver.chromium.android/builders/android_arm6...)
  linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-20 16:35:08]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 16:35:46]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-20 16:47:39]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 16:47:39]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-20 23:32:57]

Patchset #5 (id:140001) has been deleted

[kinuko, 2016-07-20 23:34:10]

Patchset #6 (id:200001) has been deleted

[kinuko, 2016-07-20 23:34:28]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 23:34:50]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-20 23:39:10]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 23:39:11]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux
(JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[kinuko, 2016-07-21 03:06:25]

Thanks, updated. PTAL

https://codereview.chromium.org/2159133002/diff/60001/chrome/browser/profiles...
File chrome/browser/profiles/profile_impl_io_data.cc (right):

https://codereview.chromium.org/2159133002/diff/60001/chrome/browser/profiles...
chrome/browser/profiles/profile_impl_io_data.cc:119:
profile_->ShutdownStoragePartitions();
On 2016/07/19 17:55:20, mmenke wrote:
> This doesn't seem like a good place for this - this method is implicitly
called
> during ProfileImpl's destructor, and calling a Profile method from an
implicitly
> called destructor seems like a bad idea.
> 
> I don't suppose we can just explicitly call ShutdownStoragePartitions() at the
> end of ProfileImpl's destructor instead?

I think we can, and yeah that'd be better. Done.

I wanted to have some assertion to make sure we call ShutdownStoragePartitions
before IOData::ShutdownOnUIThread, but don't have a good idea (other than adding
a flag).  Added comments instead.

https://codereview.chromium.org/2159133002/diff/60001/content/browser/browser...
File content/browser/browser_context.cc (right):

https://codereview.chromium.org/2159133002/diff/60001/content/browser/browser...
content/browser/browser_context.cc:500:
RemoveUserData(kStoragePartitionMapKeyName);
On 2016/07/19 17:55:20, mmenke wrote:
> Storage partitions are stored as user data attached to the BrowserContext?  I
> don't suppose there are plans to change that?

I suppose we wanted to avoid exposing internal stuff at BrowserContext's public
header?  I don't like UserData approach too much but I want to explorer other
options separately from this change.

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
File chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc
(right):

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc:50:
content::RunAllPendingInMessageLoop(content::BrowserThread::IO);
This wasn't necessary before this CL because TestingProfile internally runs
message loop in its dtor.  Now we delete StoragePartition before then we need to
run IO tasks a little earlier

[mmenke, 2016-07-21 15:27:21]

LGTM!

https://codereview.chromium.org/2159133002/diff/60001/content/browser/browser...
File content/browser/browser_context.cc (right):

https://codereview.chromium.org/2159133002/diff/60001/content/browser/browser...
content/browser/browser_context.cc:500:
RemoveUserData(kStoragePartitionMapKeyName);
On 2016/07/21 03:06:25, kinuko wrote:
> On 2016/07/19 17:55:20, mmenke wrote:
> > Storage partitions are stored as user data attached to the BrowserContext? 
I
> > don't suppose there are plans to change that?
> 
> I suppose we wanted to avoid exposing internal stuff at BrowserContext's
public
> header?  I don't like UserData approach too much but I want to explorer other
> options separately from this change.

I didn't mean to suggest you make that part of this change, was just hoping that
since you seem to be working on the code, you might want to consider changing
the ownership model.

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
File chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc
(right):

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc:53:
content::TestBrowserThreadBundle thread_bundle_;
Doesn't really matter, but these should probably be protected.

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc:54:
TestingProfile profile;
profile_

[michaeln, 2016-07-21 20:08:09]

Does this change ensure that URLRequestContexts outlive StoragePartitions?

[kinuko, 2016-07-21 23:23:48]

On 2016/07/21 20:08:09, michaeln wrote:
> Does this change ensure that URLRequestContexts outlive StoragePartitions?

Yes it should.

[kinuko, 2016-07-22 04:16:03]

The CQ bit was checked by kinuko@chromium.org to run a CQ dry run

[kinuko, 2016-07-22 04:16:21]

Thanks!

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
File chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc
(right):

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc:53:
content::TestBrowserThreadBundle thread_bundle_;
On 2016/07/21 15:27:20, mmenke wrote:
> Doesn't really matter, but these should probably be protected.

Done.

https://codereview.chromium.org/2159133002/diff/220001/chrome/browser/browsin...
chrome/browser/browsing_data/browsing_data_appcache_helper_unittest.cc:54:
TestingProfile profile;
On 2016/07/21 15:27:20, mmenke wrote:
> profile_

Done.

[commit-bot: I haz the power, 2016-07-22 04:16:30]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[kinuko, 2016-07-22 04:35:53]

kinuko@chromium.org changed reviewers:
+ alexclarke@chromium.org, dtrainor@chromium.org, falken@chromium.org,
halliwell@chromium.org, jam@chromium.org, mkwst@chromium.org,
phajdan.jr@chromium.org

[kinuko, 2016-07-22 04:35:54]

Adding more owners...

mkwst@chromium.org: Please review changes in chrome/browser/browsing_data

dtrainor@chromium.org: Please review changes in blimp/ (one-line change)

halliwell@chromium.org: Please review changes in chromecast/ (one-line change)

alexclarke@chromium.org: Please review changes in headless/ (one-line change)

phajdan.jr@chromium.org: Please review changes in chrome/test/ (one-line change)

falken@chromium.org: Please review changes in service_worker related to make
sure

jam@chromium.org: If you have any comments for the changes in content/

[kinuko, 2016-07-22 04:37:10]

kinuko@chromium.org changed reviewers:
+ michaeln@chromium.org
- mkwst@chromium.org

[falken, 2016-07-22 04:38:15]

service worker lgtm. awesome!

[kinuko, 2016-07-22 04:38:20]

On 2016/07/22 04:35:54, kinuko wrote:
> mkwst@chromium.org: Please review changes in chrome/browser/browsing_data

Looks like ooo, michaeln@: you can probably review the change? (Feel free to
comment on other parts too)

[commit-bot: I haz the power, 2016-07-22 05:28:56]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-22 05:28:57]

Dry run: This issue passed the CQ dry run.

[alex clarke (OOO till 29th), 2016-07-22 09:36:47]

headless/ LGTM

[Paweł Hajdan Jr., 2016-07-22 13:17:30]

chrome/test LGTM

[halliwell, 2016-07-22 13:22:42]

On 2016/07/22 13:17:30, Paweł Hajdan Jr. wrote:
> chrome/test LGTM

chromecast/ lgtm

[David Trainor- moved to gerrit, 2016-07-22 16:14:17]

blimp/ lgtm thanks!

[jam, 2016-07-22 16:26:22]

Can the motivation be spelled out (both for me to understand it, and for future
developers)? The bug doesn't describe the issue, and just has a link to a long
code review.

[mmenke, 2016-07-22 17:59:43]

On 2016/07/22 16:26:22, jam wrote:
> Can the motivation be spelled out (both for me to understand it, and for
future
> developers)? The bug doesn't describe the issue, and just has a link to a long
> code review.

The issue is that the StoragePartition is outliving the ProfileIOData, which
StorageParition and its consumers indirectly depend on.

[jam, 2016-07-22 21:12:00]

On 2016/07/22 17:59:43, mmenke wrote:
> On 2016/07/22 16:26:22, jam wrote:
> > Can the motivation be spelled out (both for me to understand it, and for
> future
> > developers)? The bug doesn't describe the issue, and just has a link to a
long
> > code review.
> 
> The issue is that the StoragePartition is outliving the ProfileIOData, which
> StorageParition and its consumers indirectly depend on.

Can you expand? i.e. what are the sequence of events that lead to a UAF? 

In general, depending on embedders to call a method is something they can forget
to do, that's why I'm trying to understand why we would add something that could
be error prone.

[mmenke, 2016-07-22 21:18:50]

On 2016/07/22 21:12:00, jam wrote:
> On 2016/07/22 17:59:43, mmenke wrote:
> > On 2016/07/22 16:26:22, jam wrote:
> > > Can the motivation be spelled out (both for me to understand it, and for
> > future
> > > developers)? The bug doesn't describe the issue, and just has a link to a
> long
> > > code review.
> > 
> > The issue is that the StoragePartition is outliving the ProfileIOData, which
> > StorageParition and its consumers indirectly depend on.
> 
> Can you expand? i.e. what are the sequence of events that lead to a UAF? 
> 
> In general, depending on embedders to call a method is something they can
forget
> to do, that's why I'm trying to understand why we would add something that
could
> be error prone.

I'll defer to kinuko on that, as I don't know the specifics.  I know
ProfileIOData owns the ResourceContext and the URLRequestContext, and that
StoragePartition and all sorts of content/ code depends on them, but content has
no direct control over the lifetime of any of it (Beyond whatever path triggers
BrowserContext destruction) but that's about the extent of my knowledge.  The
original bug is actually about dereferencing ProfileIOData itself, I believe.

[kinuko, 2016-07-25 15:00:42]

Description was changed from

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

BUG=529896
==========

to

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference
ResourceContext
(which is owned by ProfileIOData in chromium cases) even after ResourceContext
is destroyed,
so it could easily lead to U-A-F.  This happens because StoragePartitions are
destroyed in
BrowserContext's dtor, while ProfileIOData and any other objects that are
managed/owned by
BrowserContext's subclasses are usually destroyed earlier than that (i.e. their
destructors run
before the base class's one).

This change tries to add a new explicit method,
BrowserContext::ShutdownStoragePartitions,
and let embedders call it before the embedders are going to destroy/shutdown
their own
objects (which include ResourceContext), so that content modules can safely
assume they can
dereference those objects while StoragePartition's still there.

BUG=529896
==========

[kinuko, 2016-07-25 15:02:10]

Description was changed from

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference
ResourceContext
(which is owned by ProfileIOData in chromium cases) even after ResourceContext
is destroyed,
so it could easily lead to U-A-F.  This happens because StoragePartitions are
destroyed in
BrowserContext's dtor, while ProfileIOData and any other objects that are
managed/owned by
BrowserContext's subclasses are usually destroyed earlier than that (i.e. their
destructors run
before the base class's one).

This change tries to add a new explicit method,
BrowserContext::ShutdownStoragePartitions,
and let embedders call it before the embedders are going to destroy/shutdown
their own
objects (which include ResourceContext), so that content modules can safely
assume they can
dereference those objects while StoragePartition's still there.

BUG=529896
==========

to

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference 
ResourceContext (which is owned by ProfileIOData in chromium cases) even after 
ResourceContext is destroyed, so it could easily lead to U-A-F.  This happens 
because StoragePartitions are destroyed in BrowserContext's dtor, while 
ProfileIOData and any other objects that are managed/owned by BrowserContext's 
subclasses are usually destroyed earlier than that (i.e. their destructors run
before the base class's one).

This change tries to add a new explicit method, 
BrowserContext::ShutdownStoragePartitions, and let embedders call it before 
the embedders are going to destroy/shutdown their own objects (which include 
ResourceContext), so that content modules can safely assume they can
dereference those objects while its StoragePartition's still there.

BUG=529896
==========

[kinuko, 2016-07-25 15:05:56]

On 2016/07/22 21:18:50, mmenke wrote:
> On 2016/07/22 21:12:00, jam wrote:
> > On 2016/07/22 17:59:43, mmenke wrote:
> > > On 2016/07/22 16:26:22, jam wrote:
> > > > Can the motivation be spelled out (both for me to understand it, and for
> > > future
> > > > developers)? The bug doesn't describe the issue, and just has a link to
a
> > long
> > > > code review.

I've added a little more informative explanation in the issue description.

> > > The issue is that the StoragePartition is outliving the ProfileIOData,
which
> > > StorageParition and its consumers indirectly depend on.
> > 
> > Can you expand? i.e. what are the sequence of events that lead to a UAF? 

Yes it leads to a UAF.  Basically what mmenke@ says, but let me try to expand a
little further (a bit lengthy):

Several content modules that are hung on StoragePartitions dereference
ResourceContext (obtained via BrowserContext::ResourceContext) to access context
information for resource loading, but ResourceContext's lifetime is managed by
embedders and it could be destroyed at any time before the content modules can
know when, which could lead to UAF.  There is a known trick to avoid it that
works only in chrome/chromium cases, by using URLRequestContextGetter (which is
also managed by embedders and can be obtained via
BrowserContext::CreateRequestContext), as it dispatches 'OnContextShuttingDown'
notifications to its observers before it gets destructed and it usually means
ResourceContext is going away too, but this notification is only available when
embedder=chromium cases.  

There could be several ways to avoid this ResourceContext U-A-F situation in
content (and some of these could be combined / implemented together too), to
name a few:
1. implement notification mechanism similar to URLRequestContextGetterObserver
(embedders need to trigger the notification)
2. make sure we shut down StoragePartition before the embedder destroys
BrowserContext/Profile-owned objects (embedders need to trigger the shutdown
because when StoragePartition's destroyed in BrowserContext's dtor the objects
owned by its subclass are already gone)
3. implement weak-ptr like mechanism similar to URLRequestContextGetter (we need
to change all the code that dereferences ResourceContext to check if it's
already null)

Both 1 and 2 require embedder's cooperation, and this CL tries to implement 2 as
I thought it'd be probably easier / clearer than 1, i.e. requiring embedders
implement various notifications for different objects.

3 could be implemented in addition to 1 and 2, but changing all the code that
dereferences ResourceContext to gracefully handle the cases where
ResourceContext is already null requires more cross-cutting efforts, and I
wanted to first try making the lifetime contract between content and embedders
clearer before trying approach 3.

> > In general, depending on embedders to call a method is something they can
> forget
> > to do, that's why I'm trying to understand why we would add something that
> could
> > be error prone.

Yep, that's understandable.  I'm hoping this change makes the lifetime issue
clearer to embedders to (and we have DCHECK so it's easier to detect when
embedders forget to call the method), but I'm open to other suggestions too.

> I'll defer to kinuko on that, as I don't know the specifics.  I know
> ProfileIOData owns the ResourceContext and the URLRequestContext, and that
> StoragePartition and all sorts of content/ code depends on them, but content
has
> no direct control over the lifetime of any of it (Beyond whatever path
triggers
> BrowserContext destruction) but that's about the extent of my knowledge.  The
> original bug is actually about dereferencing ProfileIOData itself, I believe.

[jam, 2016-07-25 19:17:34]

On 2016/07/25 15:05:56, kinuko wrote:
> On 2016/07/22 21:18:50, mmenke wrote:
> > On 2016/07/22 21:12:00, jam wrote:
> > > On 2016/07/22 17:59:43, mmenke wrote:
> > > > On 2016/07/22 16:26:22, jam wrote:
> > > > > Can the motivation be spelled out (both for me to understand it, and
for
> > > > future
> > > > > developers)? The bug doesn't describe the issue, and just has a link
to
> a
> > > long
> > > > > code review.
> 
> I've added a little more informative explanation in the issue description.
> 
> > > > The issue is that the StoragePartition is outliving the ProfileIOData,
> which
> > > > StorageParition and its consumers indirectly depend on.
> > > 
> > > Can you expand? i.e. what are the sequence of events that lead to a UAF? 
> 
> Yes it leads to a UAF.  Basically what mmenke@ says, but let me try to expand
a
> little further (a bit lengthy):
> 
> Several content modules that are hung on StoragePartitions dereference
> ResourceContext (obtained via BrowserContext::ResourceContext) to access
context
> information for resource loading, but ResourceContext's lifetime is managed by
> embedders and it could be destroyed at any time before the content modules can
> know when, which could lead to UAF.  There is a known trick to avoid it that
> works only in chrome/chromium cases, by using URLRequestContextGetter (which
is
> also managed by embedders and can be obtained via
> BrowserContext::CreateRequestContext), as it dispatches
'OnContextShuttingDown'
> notifications to its observers before it gets destructed and it usually means
> ResourceContext is going away too, but this notification is only available
when
> embedder=chromium cases.  
> 
> There could be several ways to avoid this ResourceContext U-A-F situation in
> content (and some of these could be combined / implemented together too), to
> name a few:
> 1. implement notification mechanism similar to URLRequestContextGetterObserver
> (embedders need to trigger the notification)
> 2. make sure we shut down StoragePartition before the embedder destroys
> BrowserContext/Profile-owned objects (embedders need to trigger the shutdown
> because when StoragePartition's destroyed in BrowserContext's dtor the objects
> owned by its subclass are already gone)
> 3. implement weak-ptr like mechanism similar to URLRequestContextGetter (we
need
> to change all the code that dereferences ResourceContext to check if it's
> already null)
> 
> Both 1 and 2 require embedder's cooperation, and this CL tries to implement 2
as
> I thought it'd be probably easier / clearer than 1, i.e. requiring embedders
> implement various notifications for different objects.
> 
> 3 could be implemented in addition to 1 and 2, but changing all the code that
> dereferences ResourceContext to gracefully handle the cases where
> ResourceContext is already null requires more cross-cutting efforts, and I
> wanted to first try making the lifetime contract between content and embedders
> clearer before trying approach 3.
> 
> > > In general, depending on embedders to call a method is something they can
> > forget
> > > to do, that's why I'm trying to understand why we would add something that
> > could
> > > be error prone.
> 
> Yep, that's understandable.  I'm hoping this change makes the lifetime issue
> clearer to embedders to (and we have DCHECK so it's easier to detect when
> embedders forget to call the method), but I'm open to other suggestions too.
> 
> > I'll defer to kinuko on that, as I don't know the specifics.  I know
> > ProfileIOData owns the ResourceContext and the URLRequestContext, and that
> > StoragePartition and all sorts of content/ code depends on them, but content
> has
> > no direct control over the lifetime of any of it (Beyond whatever path
> triggers
> > BrowserContext destruction) but that's about the extent of my knowledge. 
The
> > original bug is actually about dereferencing ProfileIOData itself, I
believe.

Thanks for the explanation, especially the discussion about various strategies
which explains why this is the best one pragmatically at this point.

lgtm

[michaeln, 2016-07-25 22:42:37]

lgtm 2 !

[kinuko, 2016-07-26 11:56:06]

The CQ bit was checked by kinuko@chromium.org

[kinuko, 2016-07-26 11:56:06]

The patchset sent to the CQ was uploaded after l-g-t-m from mmenke@chromium.org
Link to the patchset: https://codereview.chromium.org/2159133002/#ps240001
(title: "addressed comments")

[commit-bot: I haz the power, 2016-07-26 11:56:20]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-26 13:27:43]

Description was changed from

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference 
ResourceContext (which is owned by ProfileIOData in chromium cases) even after 
ResourceContext is destroyed, so it could easily lead to U-A-F.  This happens 
because StoragePartitions are destroyed in BrowserContext's dtor, while 
ProfileIOData and any other objects that are managed/owned by BrowserContext's 
subclasses are usually destroyed earlier than that (i.e. their destructors run
before the base class's one).

This change tries to add a new explicit method, 
BrowserContext::ShutdownStoragePartitions, and let embedders call it before 
the embedders are going to destroy/shutdown their own objects (which include 
ResourceContext), so that content modules can safely assume they can
dereference those objects while its StoragePartition's still there.

BUG=529896
==========

to

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference 
ResourceContext (which is owned by ProfileIOData in chromium cases) even after 
ResourceContext is destroyed, so it could easily lead to U-A-F.  This happens 
because StoragePartitions are destroyed in BrowserContext's dtor, while 
ProfileIOData and any other objects that are managed/owned by BrowserContext's 
subclasses are usually destroyed earlier than that (i.e. their destructors run
before the base class's one).

This change tries to add a new explicit method, 
BrowserContext::ShutdownStoragePartitions, and let embedders call it before 
the embedders are going to destroy/shutdown their own objects (which include 
ResourceContext), so that content modules can safely assume they can
dereference those objects while its StoragePartition's still there.

BUG=529896
==========

[commit-bot: I haz the power, 2016-07-26 13:27:46]

Committed patchset #7 (id:240001)

[commit-bot: I haz the power, 2016-07-26 13:29:07]

Description was changed from

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference 
ResourceContext (which is owned by ProfileIOData in chromium cases) even after 
ResourceContext is destroyed, so it could easily lead to U-A-F.  This happens 
because StoragePartitions are destroyed in BrowserContext's dtor, while 
ProfileIOData and any other objects that are managed/owned by BrowserContext's 
subclasses are usually destroyed earlier than that (i.e. their destructors run
before the base class's one).

This change tries to add a new explicit method, 
BrowserContext::ShutdownStoragePartitions, and let embedders call it before 
the embedders are going to destroy/shutdown their own objects (which include 
ResourceContext), so that content modules can safely assume they can
dereference those objects while its StoragePartition's still there.

BUG=529896
==========

to

==========
Shutdown StoragePartition before ProfileIOData is being shut down

- Expose a new ShutdownStoragePartitions method on BrowserContext
- Calls the new method in the subclasses of BrowserContext before actual
  destruction / shutdown starts

Content modules that are hung on StoragePartition often try to dereference
ResourceContext (which is owned by ProfileIOData in chromium cases) even after
ResourceContext is destroyed, so it could easily lead to U-A-F.  This happens
because StoragePartitions are destroyed in BrowserContext's dtor, while
ProfileIOData and any other objects that are managed/owned by BrowserContext's
subclasses are usually destroyed earlier than that (i.e. their destructors run
before the base class's one).

This change tries to add a new explicit method,
BrowserContext::ShutdownStoragePartitions, and let embedders call it before
the embedders are going to destroy/shutdown their own objects (which include
ResourceContext), so that content modules can safely assume they can
dereference those objects while its StoragePartition's still there.

BUG=529896

Committed: https://crrev.com/f6ed359c6f34261f93f3ac5431c7f7526d500262
Cr-Commit-Position: refs/heads/master@{#407781}
==========

[commit-bot: I haz the power, 2016-07-26 13:29:10]

Patchset 7 (id:??) landed as
https://crrev.com/f6ed359c6f34261f93f3ac5431c7f7526d500262
Cr-Commit-Position: refs/heads/master@{#407781}