Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(218)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2636293002: Fix MenuController Heap-use-after-free (Closed)

Created:
3 years, 11 months ago by jonross
Modified:
3 years, 11 months ago
Reviewers:
sky
CC:
chromium-reviews, tfarina
Target Ref:
refs/pending/heads/master
Project:
chromium
Visibility:
Public.

Description

Fix MenuController Heap-use-after-free MenuController applies a ref to ViewsDelegate, in order to prevent Chrome from shutting down while a menu is open. This ref is released as the menu is closing. However it is possible for the release of the ref to lead to Chrome shutting down immediately. During this MenuController is deleted. However it was possible that MenuController would access the heap as the stack collapsed. This change updates the menu closing process to detect the deletion and to shutdown cleanly. TEST=MenuControllerTest.DestroyedDuringViewsRelease BUG=681462 Review-Url: https://codereview.chromium.org/2636293002 Cr-Commit-Position: refs/heads/master@{#444203} Committed: https://chromium.googlesource.com/chromium/src/+/faaee985121bc612a5a79b03215a490f7f65d0eb

Patch Set 1 #

Total comments: 2

Patch Set 2 : Typo in comments #

Unified diffs Side-by-side diffs Delta from patch set Stats (+66 lines, -0 lines) Patch
M ui/views/controls/menu/menu_controller.cc View 1 2 chunks +7 lines, -0 lines 0 comments Download
M ui/views/controls/menu/menu_controller_unittest.cc View 6 chunks +59 lines, -0 lines 0 comments Download

Messages

Total messages: 11 (5 generated)
jonross
Hey sky@, Could you review this change? Thanks, Jon
3 years, 11 months ago (2017-01-17 22:40:19 UTC) #2
sky
Tricky. LGTM https://codereview.chromium.org/2636293002/diff/1/ui/views/controls/menu/menu_controller.cc File ui/views/controls/menu/menu_controller.cc (right): https://codereview.chromium.org/2636293002/diff/1/ui/views/controls/menu/menu_controller.cc#newcode2595 ui/views/controls/menu/menu_controller.cc:2595: // Releaseing the lock can result in ...
3 years, 11 months ago (2017-01-17 23:24:17 UTC) #3
jonross
https://codereview.chromium.org/2636293002/diff/1/ui/views/controls/menu/menu_controller.cc File ui/views/controls/menu/menu_controller.cc (right): https://codereview.chromium.org/2636293002/diff/1/ui/views/controls/menu/menu_controller.cc#newcode2595 ui/views/controls/menu/menu_controller.cc:2595: // Releaseing the lock can result in Chrome shutting ...
3 years, 11 months ago (2017-01-17 23:29:28 UTC) #4
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2636293002/20001
3 years, 11 months ago (2017-01-17 23:30:21 UTC) #7
commit-bot: I haz the power
Committed patchset #2 (id:20001) as https://chromium.googlesource.com/chromium/src/+/faaee985121bc612a5a79b03215a490f7f65d0eb
3 years, 11 months ago (2017-01-18 00:31:12 UTC) #10
meade_UTC10
3 years, 11 months ago (2017-01-18 05:18:15 UTC) #11
Message was sent while issue was closed. 
A revert of this CL (patchset #2 id:20001) has been created in
https://codereview.chromium.org/2638293002/ by meade@chromium.org.

The reason for reverting is: Caused a memory leak in
BookmarkBarViewTest7.DNDToDifferentMenu and
BookmarkBarViewTest8.DNDBackToOriginatingMenu

See crbug.com/682109

Build link:
https://build.chromium.org/p/chromium.memory/builders/Linux%20Chromium%20OS%2....

Powered by Google App Engine
This is Rietveld 408576698