Chromium Code Reviews Chromium Code Reviews
Issue
2453113002:
Fix object-lifetime issues in async GetProof callpaths (Closed)
DescriptionFix object-lifetime issues in async GetProof callpaths
This CL addresses two categories of object-lifetime issues that were uncovered during Mentat testing. The first problem is that the lifetime of Stream objects is decoupled from the some async operations which call through Stream code, leading to use-after-free crashes if the Stream is destroyed while an async operation is in progress.
The second problem is that the async GetProof operations assume that some some subobjects of the Stream will continue to exist until the async operation completes - which is violated if the Stream is destroyed early.
The solution is twofold: first, the Stream's callback object needs cancellation support wired into the Stream, so that the Stream's destructor will disarm the callback from calling back into the Stream when it completes. Second, the subobjects of the Stream which need to live until the async operation completes are converted to use refcounted ownership semantics, so that the async operation can extend their lifetime.
This behavior is tested in a whitebox manner by setting up a situation in which a Stream calls into the async GetProof and the test destroys the Stream before that async operation is allowed to complete. Under asan, this reliably reproduces the problem. I have also tested this CL "in the wild" on a GFE experiment machine serving real traffic.
Fix memory-lifetime issues in QuicCryptoServerStream. The problems as well as the fix are protected by a number of existing flags, primarily FLAGS_enable_async_get_proof
Merge internal change: 136609079
R=rch@chromium.org
BUG=
Patch Set 1 #Patch Set 2 : rebase-update #Patch Set 3 : Updated patchset dependency #Depends on Patchset: Dependent Patchsets: Messages
Total messages: 10 (8 generated)
|
