Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(565)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/win/src/broker_services.cc

Issue 2316333003: Fix sandbox::PolicyBase leak (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: avoid using RefCountedThreadSafe Created 4 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/win/src/broker_services.h ('k') | sandbox/win/src/policy_target_test.cc » ('j') | sandbox/win/src/sandbox_policy_base.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/broker_services.cc
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
index b33889dcd3f2f15ac52472f2a2c879ecb0e3dc8f..24a86e41a30a9920fe6e787c63e0405051e17575 100644
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -54,7 +54,8 @@ enum {
// Helper structure that allows the Broker to associate a job notification
// with a job object and with a policy.
struct JobTracker {
- JobTracker(base::win::ScopedHandle job, sandbox::PolicyBase* policy)
+ JobTracker(base::win::ScopedHandle job,
+ scoped_refptr<sandbox::PolicyBase> policy)
: job(std::move(job)), policy(policy) {}
~JobTracker() {
FreeResources();
@@ -65,7 +66,7 @@ struct JobTracker {
void FreeResources();
base::win::ScopedHandle job;
- sandbox::PolicyBase* policy;
+ scoped_refptr<sandbox::PolicyBase> policy;
};
void JobTracker::FreeResources() {
@@ -79,8 +80,7 @@ void JobTracker::FreeResources() {
// In OnJobEmpty() we don't actually use the job handle directly.
policy->OnJobEmpty(stale_job_handle);
- policy->Release();
- policy = NULL;
+ policy = nullptr;
}
}
@@ -142,10 +142,10 @@ BrokerServicesBase::~BrokerServicesBase() {
::DeleteCriticalSection(&lock_);
}
-TargetPolicy* BrokerServicesBase::CreatePolicy() {
+scoped_refptr<TargetPolicy> BrokerServicesBase::CreatePolicy() {
// If you change the type of the object being created here you must also
// change the downcast to it in SpawnTarget().
- return new PolicyBase;
+ return scoped_refptr<TargetPolicy>(new PolicyBase);
}
// The worker thread stays in a loop waiting for asynchronous notifications
@@ -268,7 +268,7 @@ DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) {
// process inside the sandbox.
ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
const wchar_t* command_line,
- TargetPolicy* policy,
+ scoped_refptr<TargetPolicy> policy,
ResultCode* last_warning,
DWORD* last_error,
PROCESS_INFORMATION* target_info) {
@@ -289,7 +289,7 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
AutoLock lock(&lock_);
// This downcast is safe as long as we control CreatePolicy()
- PolicyBase* policy_base = static_cast<PolicyBase*>(policy);
+ scoped_refptr<PolicyBase> policy_base(static_cast<PolicyBase*>(policy.get()));
// Construct the tokens and the job object that we are going to associate
// with the soon to be created target process.
@@ -441,7 +441,6 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
// We are going to keep a pointer to the policy because we'll call it when
// the job object generates notifications using the completion port.
- policy_base->AddRef();
if (job.IsValid()) {
std::unique_ptr<JobTracker> tracker(
new JobTracker(std::move(job), policy_base));
« no previous file with comments | « sandbox/win/src/broker_services.h ('k') | sandbox/win/src/policy_target_test.cc » ('j') | sandbox/win/src/sandbox_policy_base.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698