[Mojo-Loading] Dispatch body data after response is received

content/child/url_response_body_consumer.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/child/url_response_body_consumer.h"
 
 #include "base/bind.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "content/child/resource_dispatcher.h"
@@ skipping 31 matching lines @@
 
 URLResponseBodyConsumer::URLResponseBodyConsumer(
     int request_id,
     ResourceDispatcher* resource_dispatcher,
     mojo::ScopedDataPipeConsumerHandle handle,
     scoped_refptr<base::SingleThreadTaskRunner> task_runner)
     : request_id_(request_id),
       resource_dispatcher_(resource_dispatcher),
       handle_(std::move(handle)),
       handle_watcher_(task_runner),
-      has_seen_end_of_data_(!handle_.is_valid()) {
+      has_seen_end_of_data_(!handle_.is_valid()) {}
+
+URLResponseBodyConsumer::~URLResponseBodyConsumer() {}
+
+void URLResponseBodyConsumer::Start(base::SingleThreadTaskRunner* task_runner) {
+  if (has_been_cancelled_)
+    return;
   handle_watcher_.Start(
       handle_.get(), MOJO_HANDLE_SIGNAL_READABLE,
       base::Bind(&URLResponseBodyConsumer::OnReadable, base::Unretained(this)));
   task_runner->PostTask(
       FROM_HERE, base::Bind(&URLResponseBodyConsumer::OnReadable, AsWeakPtr(),
                             MOJO_RESULT_OK));
 }
 
-URLResponseBodyConsumer::~URLResponseBodyConsumer() {}
-
 void URLResponseBodyConsumer::OnComplete(
     const ResourceRequestCompletionStatus& status) {
   if (has_been_cancelled_)
     return;
   has_received_completion_ = true;
   completion_status_ = status;
   NotifyCompletionIfAppropriate();
 }
 
 void URLResponseBodyConsumer::Cancel() {
   has_been_cancelled_ = true;
   handle_watcher_.Cancel();
 }
 
 void URLResponseBodyConsumer::Reclaim(uint32_t size) {
   MojoResult result = mojo::EndReadDataRaw(handle_.get(), size);
   DCHECK_EQ(MOJO_RESULT_OK, result);
 }
 
 void URLResponseBodyConsumer::OnReadable(MojoResult unused) {
   if (has_been_cancelled_ || has_seen_end_of_data_)
     return;
 
   // TODO(yhirano): Suppress notification when deferred.
   while (!has_been_cancelled_) {

[tapted, 2016/11/04 08:44:06]

So the UAF is actually down here, so https://codereview.chromium.org/2463753002/
(which started running the test) is probably the one that needs reverting. I
cancelled the revert of this CL.



==4==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000b75d1 at
pc 0x00000686e88c bp 0x7fffa32eeff0 sp 0x7fffa32eefe8
READ of size 1 at 0x60e0000b75d1 thread T0 (content_shell)
    #0 0x686e88b in OnReadable content/child/url_response_body_consumer.cc:91:11
    #1 0x46069ff in Run base/callback.h:64:12
    #2 0x46069ff in OnHandleReady mojo/public/cpp/system/watcher.cc:122:0
    #3 0x416c973 in Run base/callback.h:47:12
    #4 0x416c973 in RunTask base/debug/task_annotator.cc:52:0
    #5 0x71db744 in ProcessTaskFromWorkQueue
third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:378:19
    #6 0x71d77c9 in DoWork
third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:253:13
    #7 0x416c973 in Run base/callback.h:47:12
    #8 0x416c973 in RunTask base/debug/task_annotator.cc:52:0
    #9 0x403b960 in RunTask base/message_loop/message_loop.cc:413:19
    #10 0x403c255 in DeferOrRunPendingTask
base/message_loop/message_loop.cc:422:5
    #11 0x403d0de in DoWork base/message_loop/message_loop.cc:515:13
    #12 0x4045600 in Run base/message_loop/message_pump_default.cc:35:31
    #13 0x403b0d0 in RunHandler base/message_loop/message_loop.cc:378:10
    #14 0x40907e5 in Run base/run_loop.cc:35:10
    #15 0x6a4eabf in RendererMain content/renderer/renderer_main.cc:198:23
    #16 0x2eea179 in RunZygote content/app/content_main_runner.cc:336:14
    #17 0x2eecf19 in Run content/app/content_main_runner.cc:776:12
    #18 0x2ed8f5a in ContentMain content/app/content_main.cc:20:28
    #19 0x51831d in main content/shell/app/shell_main.cc:48:10
    #20 0x7f1b049c576c in __libc_start_main
/build/eglibc-rrybNj/eglibc-2.15/csu/libc-start.c:226:0

0x60e0000b75d1 is located 145 bytes inside of 152-byte region
[0x60e0000b7540,0x60e0000b75d8)
freed by thread T0 (content_shell) here:
    #0 0x515ceb in operator delete(void*) ??:0
    #1 0x686f7e2 in Release base/memory/ref_counted.h:135:7
    #2 0x686f7e2 in Release base/memory/ref_counted.h:406:0
    #3 0x686f7e2 in ~scoped_refptr base/memory/ref_counted.h:308:0
    #4 0x686f7e2 in ~ReceivedData
content/child/url_response_body_consumer.cc:25:0
    #5 0x686f7e2 in ~ReceivedData
content/child/url_response_body_consumer.cc:25:0
    #6 0xc782b14 in operator()
buildtools/third_party/libc++/trunk/include/memory:2529:13
    #7 0xc782b14 in reset
buildtools/third_party/libc++/trunk/include/memory:2735:0
    #8 0xc782b14 in ~unique_ptr
buildtools/third_party/libc++/trunk/include/memory:2703:0
    #9 0xc782b14 in OnReceivedData content/child/web_url_loader_impl.cc:988:0
    #10 0x686e757 in OnReadable
content/child/url_response_body_consumer.cc:113:25
    #11 0x46069ff in Run base/callback.h:64:12
    #12 0x46069ff in OnHandleReady mojo/public/cpp/system/watcher.cc:122:0
    #13 0x416c973 in Run base/callback.h:47:12
    #14 0x416c973 in RunTask base/debug/task_annotator.cc:52:0
    #15 0x71db744 in ProcessTaskFromWorkQueue
third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:378:19
    #16 0x71d77c9 in DoWork
third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:253:13
    #17 0x416c973 in Run base/callback.h:47:12
    #18 0x416c973 in RunTask base/debug/task_annotator.cc:52:0
    #19 0x403b960 in RunTask base/message_loop/message_loop.cc:413:19
    #20 0x403c255 in DeferOrRunPendingTask
base/message_loop/message_loop.cc:422:5
    #21 0x403d0de in DoWork base/message_loop/message_loop.cc:515:13
    #22 0x4045600 in Run base/message_loop/message_pump_default.cc:35:31
    #23 0x403b0d0 in RunHandler base/message_loop/message_loop.cc:378:10
    #24 0x40907e5 in Run base/run_loop.cc:35:10
    #25 0x6a4eabf in RendererMain content/renderer/renderer_main.cc:198:23
    #26 0x2eea179 in RunZygote content/app/content_main_runner.cc:336:14
    #27 0x2eecf19 in Run content/app/content_main_runner.cc:776:12
    #28 0x2ed8f5a in ContentMain content/app/content_main.cc:20:28
    #29 0x51831d in main content/shell/app/shell_main.cc:48:10
    #30 0x7f1b049c576c in __libc_start_main
/build/eglibc-rrybNj/eglibc-2.15/csu/libc-start.c:226:0

previously allocated by thread T0 (content_shell) here:
    #0 0x5150ab in operator new(unsigned long) ??:0
    #1 0x685b8ef in OnStartLoadingResponseBody
content/child/resource_dispatcher.cc:102:22
    #2 0x77973d in Accept
./out/Release/gen/content/common/url_loader.mojom.cc:396:13
    #3 0x45d56e8 in HandleValidatedMessage
mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:339:32
    #4 0x45e3b42 in ProcessIncomingMessage
mojo/public/cpp/bindings/lib/multiplex_router.cc:824:22
    #5 0x45e2d47 in Accept
mojo/public/cpp/bindings/lib/multiplex_router.cc:536:25
    #6 0x45cf394 in ReadSingleMessage
mojo/public/cpp/bindings/lib/connector.cc:247:51
    #7 0x45cfd64 in ReadAllAvailableMessages
mojo/public/cpp/bindings/lib/connector.cc:272:10
    #8 0x45cfd64 in OnHandleReadyInternal
mojo/public/cpp/bindings/lib/connector.cc:205:0
    #9 0x45cfd64 in OnWatcherHandleReady
mojo/public/cpp/bindings/lib/connector.cc:183:0
    #10 0x46069ff in Run base/callback.h:64:12
    #11 0x46069ff in OnHandleReady mojo/public/cpp/system/watcher.cc:122:0
    #12 0x416c973 in Run base/callback.h:47:12
    #13 0x416c973 in RunTask base/debug/task_annotator.cc:52:0
    #14 0x71db744 in ProcessTaskFromWorkQueue
third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:378:19
    #15 0x71d77c9 in DoWork
third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:253:13
    #16 0x416c973 in Run base/callback.h:47:12
    #17 0x416c973 in RunTask base/debug/task_annotator.cc:52:0
    #18 0x403b960 in RunTask base/message_loop/message_loop.cc:413:19
    #19 0x403c255 in DeferOrRunPendingTask
base/message_loop/message_loop.cc:422:5
    #20 0x403d0de in DoWork base/message_loop/message_loop.cc:515:13
    #21 0x4045600 in Run base/message_loop/message_pump_default.cc:35:31
    #22 0x403b0d0 in RunHandler base/message_loop/message_loop.cc:378:10
    #23 0x40907e5 in Run base/run_loop.cc:35:10
    #24 0x6a4eabf in RendererMain content/renderer/renderer_main.cc:198:23
    #25 0x2eea179 in RunZygote content/app/content_main_runner.cc:336:14
    #26 0x2eecf19 in Run content/app/content_main_runner.cc:776:12
    #27 0x2ed8f5a in ContentMain content/app/content_main.cc:20:28
    #28 0x51831d in main content/shell/app/shell_main.cc:48:10
    #29 0x7f1b049c576c in __libc_start_main
/build/eglibc-rrybNj/eglibc-2.15/csu/libc-start.c:226:0

     const void* buffer = nullptr;
     uint32_t available = 0;
     MojoResult result = mojo::BeginReadDataRaw(
         handle_.get(), &buffer, &available, MOJO_READ_DATA_FLAG_NONE);
     if (result == MOJO_RESULT_SHOULD_WAIT)
       return;
     if (result == MOJO_RESULT_FAILED_PRECONDITION) {
       has_seen_end_of_data_ = true;
       NotifyCompletionIfAppropriate();
       return;
@@ skipping 20 matching lines @@
     return;
   // Cancel this instance in order not to notify twice.
   Cancel();
 
   resource_dispatcher_->OnMessageReceived(
       ResourceMsg_RequestComplete(request_id_, completion_status_));
   // |this| may be deleted.
 }
 
 }  // namespace content