Adds code to isolate use-after-free in Views

ui/views/focus/focus_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "ui/views/focus/focus_manager.h"
 
 #include <algorithm>
 #include <vector>
 
 #include "base/auto_reset.h"
+#include "base/debug/alias.h"
+#include "base/debug/dump_without_crashing.h"
+#include "base/debug/stack_trace.h"
 #include "base/logging.h"
 #include "ui/base/accelerators/accelerator.h"
 #include "ui/base/ime/input_method.h"
 #include "ui/base/ime/text_input_client.h"
 #include "ui/events/event.h"
 #include "ui/events/keycodes/keyboard_codes.h"
 #include "ui/views/focus/focus_manager_delegate.h"
 #include "ui/views/focus/focus_search.h"
 #include "ui/views/focus/view_storage.h"
 #include "ui/views/focus/widget_focus_manager.h"
 #include "ui/views/view.h"
 #include "ui/views/widget/root_view.h"
 #include "ui/views/widget/widget.h"
 #include "ui/views/widget/widget_delegate.h"
 
 namespace views {
+namespace {
+
+#if defined(OS_CHROMEOS)
+// Crash appears to be specific to chromeos, so only log there.
+bool did_log_focused_view = false;

[msw, 2017/03/13 18:22:16]

optional nit: flip to |should_log_focused_view|?

[sky, 2017/03/13 19:04:02]

Done.

+#else
+bool did_log_focused_view = true;
+#endif
+
+}  // namespace
 
 bool FocusManager::arrow_key_traversal_enabled_ = false;
 
 FocusManager::FocusManager(Widget* widget,
                            std::unique_ptr<FocusManagerDelegate> delegate)
     : widget_(widget),
       delegate_(std::move(delegate)),
       stored_focused_view_storage_id_(
           ViewStorage::GetInstance()->CreateStorageID()) {
   DCHECK(widget_);
 }
 
 FocusManager::~FocusManager() {
+  if (focused_view_)
+    focused_view_->RemoveObserver(this);
 }
 
 bool FocusManager::OnKeyEvent(const ui::KeyEvent& event) {
   const int key_code = event.key_code();
 
   if (event.type() != ui::ET_KEY_PRESSED && event.type() != ui::ET_KEY_RELEASED)
     return false;
 
   if (shortcut_handling_suspended())
     return true;
@@ skipping 271 matching lines @@
 #endif
 
   // Update the reason for the focus change (since this is checked by
   // some listeners), then notify all listeners.
   focus_change_reason_ = reason;
   for (FocusChangeListener& observer : focus_change_listeners_)
     observer.OnWillChangeFocus(focused_view_, view);
 
   View* old_focused_view = focused_view_;
   focused_view_ = view;
-  if (old_focused_view)
+  if (old_focused_view) {
+    old_focused_view->RemoveObserver(this);
     old_focused_view->Blur();
+  }
   // Also make |focused_view_| the stored focus view. This way the stored focus
   // view is remembered if focus changes are requested prior to a show or while
   // hidden.
   SetStoredFocusView(focused_view_);
-  if (focused_view_)
+  if (focused_view_) {
+    focused_view_->AddObserver(this);
     focused_view_->Focus();
+    if (!did_log_focused_view) {
+      stack_when_focused_view_set_ =
+          base::MakeUnique<base::debug::StackTrace>();
+    }
+  } else {
+    stack_when_focused_view_set_.reset();
+  }
 
   for (FocusChangeListener& observer : focus_change_listeners_)
     observer.OnDidChangeFocus(old_focused_view, focused_view_);
 }
 
 void FocusManager::ClearFocus() {
   // SetFocusedView(NULL) is going to clear out the stored view to. We need to
   // persist it in this case.
   views::View* focused_view = GetStoredFocusView();
   SetFocusedView(NULL);
@@ skipping 209 matching lines @@
 
 // |keyboard_accessible_| is only used on Mac.
 #if defined(OS_MACOSX)
   return keyboard_accessible_ ? view->IsAccessibilityFocusable()
                               : view->IsFocusable();
 #else
   return view->IsAccessibilityFocusable();
 #endif
 }
 
+void FocusManager::OnViewIsDeleting(View* view) {
+  CHECK_EQ(view, focused_view_);
+
+  // Widget forwards the appropriate calls such that we should never end up
+  // here. None-the-less crashes indicate we are. This logs the stack once when
+  // this happens.
+  // TODO(sky): remove when cause of 687232 is found.
+  if (stack_when_focused_view_set_ && !did_log_focused_view) {
+    did_log_focused_view = true;
+    size_t stack_size = 0u;
+    const void* const* instruction_pointers =
+        stack_when_focused_view_set_->Addresses(&stack_size);

[msw, 2017/03/13 18:22:16]

q: Could you just store stack_when_focused_view_set_->ToString()?

[sky, 2017/03/13 19:04:01]

Indeed. The ToString() representation takes up more space and I believe is less
likely to make it into the mini-dump. The crash folks suggested this approach,
which mirrors that of task_annotator.

+    static constexpr size_t kMaxStackSize = 100;
+    const void* instruction_pointers_copy[kMaxStackSize];
+    // Insert markers bracketing the crash to make it easier to locate.
+    instruction_pointers_copy[0] = reinterpret_cast<const void*>(0x12345678);
+    instruction_pointers_copy[std::min(kMaxStackSize - 1, stack_size + 1)] =
+        reinterpret_cast<const void*>(0x12345678);
+    std::memcpy((instruction_pointers_copy + 1), instruction_pointers,
+                std::min(kMaxStackSize - 2, stack_size) * sizeof(const void*));
+    base::debug::Alias(&stack_size);
+    base::debug::Alias(&instruction_pointers_copy);
+    base::debug::DumpWithoutCrashing();
+    stack_when_focused_view_set_.reset();
+  }
+
+  focused_view_->RemoveObserver(this);
+  focused_view_ = nullptr;

[msw, 2017/03/13 18:22:15]

q: Will nulling out |focused_view_| possibly prevent some of the crashes that
you're hoping to capture?

[sky, 2017/03/13 19:04:02]

Yes, that is intentional, especially since this only logs once.

+}
+
 }  // namespace views