chrome/renderer/chrome_content_renderer_client.cc - Issue 2613803005: [win] Enable ModuleDatabase behind a flag.

Side by Side Diff: chrome/renderer/chrome_content_renderer_client.cc

Issue 2613803005: [win] Enable ModuleDatabase behind a flag. (Closed)

Patch Set: Created 3 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/renderer/chrome_content_renderer_client.h"	5 #include "chrome/renderer/chrome_content_renderer_client.h"

6	6

7 #include <memory>	7 #include <memory>

8 #include <utility>	8 #include <utility>

9	9

10 #include "base/command_line.h"	10 #include "base/command_line.h"

(...skipping 276 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
287 continue_loading_cb_.Run();	287 continue_loading_cb_.Run();

288 delete this;	288 delete this;

289 }	289 }

290 void OnDestruct() override { delete this; }	290 void OnDestruct() override { delete this; }

291	291

292 const base::Closure continue_loading_cb_;	292 const base::Closure continue_loading_cb_;

293	293

294 DISALLOW_COPY_AND_ASSIGN(MediaLoadDeferrer);	294 DISALLOW_COPY_AND_ASSIGN(MediaLoadDeferrer);

295 };	295 };

296	296

	297 #if defined(OS_WIN)

	298 // Dispatches a module \|event\| to the provided \|module_database\| interface.
	grt (UTC plus 2) 2017/01/06 09:44:58 nit: module_database -> module_event_sink? nit: module_database -> module_event_sink? chrisha 2017/01/10 21:01:46 Done. Show quoted text On 2017/01/06 09:44:58, grt (UTC plus 1) wrote: > nit: module_database -> module_event_sink? Done.
	299 void OnModuleEventImpl(mojom::ModuleEventSinkPtr* module_event_sink,
	grt (UTC plus 2) 2017/01/06 09:44:58 this will trigger a UAF if a ChromeContentRenderer this will trigger a UAF if a ChromeContentRendererClient can be destroyed after OnModuleEvent is called but before the IO thread picks up OnModuleEventImpl, no (mojom::ModuleEventSinkPtr will have been destroyed)? is this possible? chrisha 2017/01/10 21:01:46 Great catch. ChromeContentRendererClient is a lazy Show quoted text On 2017/01/06 09:44:58, grt (UTC plus 1) wrote: > this will trigger a UAF if a ChromeContentRendererClient can be destroyed after > OnModuleEvent is called but before the IO thread picks up OnModuleEventImpl, no > (mojom::ModuleEventSinkPtr will have been destroyed)? is this possible? Great catch. ChromeContentRendererClient is a lazy initialized singleton that is leaked, so this is not an issue. It lives here: https://cs.chromium.org/chromium/src/chrome/app/chrome_main_delegate.cc?q=Chr... I'll add comments that make this explicit.
	300 const ModuleWatcher::ModuleEvent& event) {

	301 // Simply the send the module load address. The browser can validate this and
	grt (UTC plus 2) 2017/01/06 09:44:58 nix extra " the" nix extra " the" chrisha 2017/01/10 21:01:46 Done. Show quoted text On 2017/01/06 09:44:58, grt (UTC plus 1) wrote: > nix extra " the" Done.
	302 // look up the module details on its own.

	303 (*module_event_sink)

	304 ->OnModuleEvent(event.event_type,

	305 reinterpret_cast<uintptr_t>(event.module_load_address));

	306 }

	307

	308 // Receives notifications from the ModuleWatcher on any thread. Bounces these

	309 // over to the provided \|task_runner\| where they are subsequently dispatched to

	310 // the \|module_database\| interface.

	311 void OnModuleEvent(scoped_refptr<base::SingleThreadTaskRunner> task_runner,

	312 mojom::ModuleEventSinkPtr* module_event_sink,

	313 const ModuleWatcher::ModuleEvent& event) {

	314 // The Mojo interface can only be used from a single thread. Bounce tasks

	315 // over to it.

	316 task_runner->PostTask(FROM_HERE,

	317 base::Bind(&OnModuleEventImpl,
	grt (UTC plus 2) 2017/01/06 09:44:58 nit: OnModuleEventImpl -> HandleModuleEventOnIOThr nit: OnModuleEventImpl -> HandleModuleEventOnIOThread? chrisha 2017/01/10 21:01:46 Done. Show quoted text On 2017/01/06 09:44:58, grt (UTC plus 1) wrote: > nit: OnModuleEventImpl -> HandleModuleEventOnIOThread? Done.
	318 base::Unretained(module_event_sink), event));

	319 }

	320 #endif

	321

297 } // namespace	322 } // namespace

298	323

299 ChromeContentRendererClient::ChromeContentRendererClient()	324 ChromeContentRendererClient::ChromeContentRendererClient()

300 : main_entry_time_(base::TimeTicks::Now()) {	325 : main_entry_time_(base::TimeTicks::Now()) {

301 #if BUILDFLAG(ENABLE_EXTENSIONS)	326 #if BUILDFLAG(ENABLE_EXTENSIONS)

302 extensions::ExtensionsClient::Set(	327 extensions::ExtensionsClient::Set(

303 extensions::ChromeExtensionsClient::GetInstance());	328 extensions::ChromeExtensionsClient::GetInstance());

304 extensions::ExtensionsRendererClient::Set(	329 extensions::ExtensionsRendererClient::Set(

305 ChromeExtensionsRendererClient::GetInstance());	330 ChromeExtensionsRendererClient::GetInstance());

306 #endif	331 #endif

(...skipping 14 matching lines...) Expand all Loading...
321	346

322 void ChromeContentRendererClient::RenderThreadStarted() {	347 void ChromeContentRendererClient::RenderThreadStarted() {

323 RenderThread* thread = RenderThread::Get();	348 RenderThread* thread = RenderThread::Get();

324	349

325 {	350 {

326 startup_metric_utils::mojom::StartupMetricHostPtr startup_metric_host;	351 startup_metric_utils::mojom::StartupMetricHostPtr startup_metric_host;

327 thread->GetRemoteInterfaces()->GetInterface(&startup_metric_host);	352 thread->GetRemoteInterfaces()->GetInterface(&startup_metric_host);

328 startup_metric_host->RecordRendererMainEntryTime(main_entry_time_);	353 startup_metric_host->RecordRendererMainEntryTime(main_entry_time_);

329 }	354 }

330	355

	356 #if defined(OS_WIN)

	357 if (base::FeatureList::IsEnabled(features::kModuleDatabase)) {

	358 thread->GetRemoteInterfaces()->GetInterface(&module_event_sink_);

	359 module_watcher_ = ModuleWatcher::Create(

	360 base::Bind(&OnModuleEvent, thread->GetIOTaskRunner(),

	361 base::Unretained(&module_event_sink_)));

	362 }

	363 #endif

	364

331 chrome_observer_.reset(new ChromeRenderThreadObserver());	365 chrome_observer_.reset(new ChromeRenderThreadObserver());

332 web_cache_impl_.reset(new web_cache::WebCacheImpl());	366 web_cache_impl_.reset(new web_cache::WebCacheImpl());

333	367

334 #if BUILDFLAG(ENABLE_EXTENSIONS)	368 #if BUILDFLAG(ENABLE_EXTENSIONS)

335 ChromeExtensionsRendererClient::GetInstance()->RenderThreadStarted();	369 ChromeExtensionsRendererClient::GetInstance()->RenderThreadStarted();

336 #endif	370 #endif

337	371

338 prescient_networking_dispatcher_.reset(	372 prescient_networking_dispatcher_.reset(

339 new network_hints::PrescientNetworkingDispatcher());	373 new network_hints::PrescientNetworkingDispatcher());

340 #if BUILDFLAG(ENABLE_SPELLCHECK)	374 #if BUILDFLAG(ENABLE_SPELLCHECK)

(...skipping 1125 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1466	1500

1467 url::Replacements<char> r;	1501 url::Replacements<char> r;

1468 r.SetPath(path.c_str(), url::Component(0, path.length()));	1502 r.SetPath(path.c_str(), url::Component(0, path.length()));

1469	1503

1470 if (result == internal::NUM_PLUGIN_ERROR)	1504 if (result == internal::NUM_PLUGIN_ERROR)

1471 result = invalid_url ? internal::SUCCESS_PARAMS_REWRITE : internal::SUCCESS;	1505 result = invalid_url ? internal::SUCCESS_PARAMS_REWRITE : internal::SUCCESS;

1472	1506

1473 RecordYouTubeRewriteUMA(result);	1507 RecordYouTubeRewriteUMA(result);

1474 return corrected_url.ReplaceComponents(r);	1508 return corrected_url.ReplaceComponents(r);

1475 }	1509 }

OLD	NEW

« chrome/browser/conflicts/module_event_sink_impl_win.cc ('K') | « chrome/renderer/chrome_content_renderer_client.h ('k') | no next file » | no next file with comments »