Fixing OOM crash in base::ProcessMetrics::GetWorkingSetKBytes

base/process/process_metrics_win.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/process/process_metrics.h"
 
 #include <windows.h>
 #include <psapi.h>
 #include <stddef.h>
 #include <stdint.h>
 #include <winternl.h>
 
 #include <algorithm>
+#include <memory>
 
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/sys_info.h"
 
 namespace base {
 namespace {
 
 // System pagesize. This value remains constant on x86/64 architectures.
 const int PAGESIZE_KB = 4;
@@ skipping 117 matching lines @@
 }
 
 bool ProcessMetrics::GetWorkingSetKBytes(WorkingSetKBytes* ws_usage) const {
   size_t ws_private = 0;
   size_t ws_shareable = 0;
   size_t ws_shared = 0;
 
   DCHECK(ws_usage);
   memset(ws_usage, 0, sizeof(*ws_usage));
 
-  DWORD number_of_entries = 4096;  // Just a guess.
-  PSAPI_WORKING_SET_INFORMATION* buffer = NULL;
+  // Call QueryWorkingSet once to get number of items.
+  PSAPI_WORKING_SET_INFORMATION initial_buffer;
+  QueryWorkingSet(process_, &initial_buffer, sizeof(initial_buffer));
+  if (GetLastError() != ERROR_BAD_LENGTH)
+    return false;
+
+  DWORD number_of_entries = static_cast<DWORD>(initial_buffer.NumberOfEntries);
+
+  std::unique_ptr<PSAPI_WORKING_SET_INFORMATION> buffer;
   int retries = 5;
   for (;;) {
+    // Maybe some entries are being added right now. Increase the buffer to
+    // take that into account.
+    number_of_entries = static_cast<DWORD>(number_of_entries * 1.1);
+
     DWORD buffer_size = sizeof(PSAPI_WORKING_SET_INFORMATION) +
                         (number_of_entries * sizeof(PSAPI_WORKING_SET_BLOCK));
 
-    // if we can't expand the buffer, don't leak the previous
-    // contents or pass a NULL pointer to QueryWorkingSet
-    PSAPI_WORKING_SET_INFORMATION* new_buffer =
-        reinterpret_cast<PSAPI_WORKING_SET_INFORMATION*>(
-            realloc(buffer, buffer_size));
-    if (!new_buffer) {
-      free(buffer);
-      return false;
-    }
-    buffer = new_buffer;
+    // Allocate the buffer.
+    DCHECK(!buffer.get());
+    buffer.reset(reinterpret_cast<PSAPI_WORKING_SET_INFORMATION*>(
+        new uint8_t[buffer_size]));

[brucedawson, 2016/09/07 00:41:12]

This seems slightly dodgy, using unique_ptr to hold a pointer that has had
reinterpet_cast run on it. It means that the new and delete calls will have
mismatched sizes.

I'd suggest a vector<uint8_t> except that then we get the zero initialization
behavior that would waste memory. Sigh...

Would be best to have std::unique_ptr<uint8_t> and cast that result when you use
it, except that even then you are misusing unique_ptr which always does a scalar
delete - not legal for an array.

 
     // Call the function once to get number of items
-    if (QueryWorkingSet(process_, buffer, buffer_size))
+    if (QueryWorkingSet(process_, buffer.get(), buffer_size))
       break;  // Success
 
-    if (GetLastError() != ERROR_BAD_LENGTH) {
-      free(buffer);
+    if (GetLastError() != ERROR_BAD_LENGTH)
       return false;
-    }
 
+    // Need to grow the number of entries.
     number_of_entries = static_cast<DWORD>(buffer->NumberOfEntries);
-
-    // Maybe some entries are being added right now. Increase the buffer to
-    // take that into account.
-    number_of_entries = static_cast<DWORD>(number_of_entries * 1.25);
+    // Free the current buffer before allocating one with larger size.
+    buffer.reset();
 
     if (--retries == 0) {
-      free(buffer);  // If we're looping, eventually fail.
+      // If we're looping, eventually fail.
       return false;
     }
   }
 
   // On windows 2000 the function returns 1 even when the buffer is too small.
   // The number of entries that we are going to parse is the minimum between the
   // size we allocated and the real number of entries.
   number_of_entries =
       std::min(number_of_entries, static_cast<DWORD>(buffer->NumberOfEntries));
   for (unsigned int i = 0; i < number_of_entries; i++) {
     if (buffer->WorkingSetInfo[i].Shared) {
       ws_shareable++;
       if (buffer->WorkingSetInfo[i].ShareCount > 1)
         ws_shared++;
     } else {
       ws_private++;
     }
   }
 
   ws_usage->priv = ws_private * PAGESIZE_KB;
   ws_usage->shareable = ws_shareable * PAGESIZE_KB;
   ws_usage->shared = ws_shared * PAGESIZE_KB;
-  free(buffer);
   return true;
 }
 
 static uint64_t FileTimeToUTC(const FILETIME& ftime) {
   LARGE_INTEGER li;
   li.LowPart = ftime.dwLowDateTime;
   li.HighPart = ftime.dwHighDateTime;
   return li.QuadPart;
 }
 
@@ skipping 76 matching lines @@
 
   meminfo->total = mem_status.ullTotalPhys / 1024;
   meminfo->free = mem_status.ullAvailPhys / 1024;
   meminfo->swap_total = mem_status.ullTotalPageFile / 1024;
   meminfo->swap_free = mem_status.ullAvailPageFile / 1024;
 
   return true;
 }
 
 }  // namespace base