Adds code to isolate use-after-free in Views

ui/views/focus/focus_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "ui/views/focus/focus_manager.h"
 
 #include <algorithm>
+#include <cstring>
 #include <vector>
 
 #include "base/auto_reset.h"
+#include "base/debug/alias.h"
+#include "base/debug/dump_without_crashing.h"
+#include "base/debug/stack_trace.h"
 #include "base/logging.h"
 #include "ui/base/accelerators/accelerator.h"
 #include "ui/base/ime/input_method.h"
 #include "ui/base/ime/text_input_client.h"
 #include "ui/events/event.h"
 #include "ui/events/keycodes/keyboard_codes.h"
 #include "ui/views/focus/focus_manager_delegate.h"
 #include "ui/views/focus/focus_search.h"
 #include "ui/views/focus/view_storage.h"
 #include "ui/views/focus/widget_focus_manager.h"
 #include "ui/views/view.h"
 #include "ui/views/widget/root_view.h"
 #include "ui/views/widget/widget.h"
 #include "ui/views/widget/widget_delegate.h"
 
 namespace views {
+namespace {
+
+#if defined(OS_CHROMEOS)
+// Crash appears to be specific to chromeos, so only log there.
+bool should_log_focused_view = true;
+#else
+bool should_log_focused_view = false;
+#endif
+
+}  // namespace
 
 bool FocusManager::arrow_key_traversal_enabled_ = false;
 
 FocusManager::FocusManager(Widget* widget,
                            std::unique_ptr<FocusManagerDelegate> delegate)
     : widget_(widget),
       delegate_(std::move(delegate)),
       stored_focused_view_storage_id_(
           ViewStorage::GetInstance()->CreateStorageID()) {
   DCHECK(widget_);
 }
 
 FocusManager::~FocusManager() {
+  if (focused_view_)
+    focused_view_->RemoveObserver(this);
 }
 
 bool FocusManager::OnKeyEvent(const ui::KeyEvent& event) {
   const int key_code = event.key_code();
 
   if (event.type() != ui::ET_KEY_PRESSED && event.type() != ui::ET_KEY_RELEASED)
     return false;
 
   if (shortcut_handling_suspended())
     return true;
@@ skipping 271 matching lines @@
 #endif
 
   // Update the reason for the focus change (since this is checked by
   // some listeners), then notify all listeners.
   focus_change_reason_ = reason;
   for (FocusChangeListener& observer : focus_change_listeners_)
     observer.OnWillChangeFocus(focused_view_, view);
 
   View* old_focused_view = focused_view_;
   focused_view_ = view;
-  if (old_focused_view)
+  if (old_focused_view) {
+    old_focused_view->RemoveObserver(this);
     old_focused_view->Blur();
+  }
   // Also make |focused_view_| the stored focus view. This way the stored focus
   // view is remembered if focus changes are requested prior to a show or while
   // hidden.
   SetStoredFocusView(focused_view_);
-  if (focused_view_)
+  if (focused_view_) {
+    focused_view_->AddObserver(this);
     focused_view_->Focus();
+    if (should_log_focused_view) {
+      stack_when_focused_view_set_ =
+          base::MakeUnique<base::debug::StackTrace>();
+    }
+  } else {
+    stack_when_focused_view_set_.reset();
+  }
 
   for (FocusChangeListener& observer : focus_change_listeners_)
     observer.OnDidChangeFocus(old_focused_view, focused_view_);
 }
 
 void FocusManager::ClearFocus() {
   // SetFocusedView(NULL) is going to clear out the stored view to. We need to
   // persist it in this case.
   views::View* focused_view = GetStoredFocusView();
   SetFocusedView(NULL);
@@ skipping 209 matching lines @@
 
 // |keyboard_accessible_| is only used on Mac.
 #if defined(OS_MACOSX)
   return keyboard_accessible_ ? view->IsAccessibilityFocusable()
                               : view->IsFocusable();
 #else
   return view->IsAccessibilityFocusable();
 #endif
 }
 
+void FocusManager::OnViewIsDeleting(View* view) {
+  CHECK_EQ(view, focused_view_);
+
+  // Widget forwards the appropriate calls such that we should never end up
+  // here. None-the-less crashes indicate we are. This logs the stack once when
+  // this happens.
+  // TODO(sky): remove when cause of 687232 is found.
+  if (stack_when_focused_view_set_ && should_log_focused_view) {
+    should_log_focused_view = false;
+    size_t stack_size = 0u;
+    const void* const* instruction_pointers =
+        stack_when_focused_view_set_->Addresses(&stack_size);
+    static constexpr size_t kMaxStackSize = 100;
+    const void* instruction_pointers_copy[kMaxStackSize];
+    // Insert markers bracketing the crash to make it easier to locate.
+    memset(&instruction_pointers_copy[0], 0xAB,
+           sizeof(instruction_pointers_copy[0]));
+    const size_t last_marker_index =
+        std::min(kMaxStackSize - 1, stack_size + 1);
+    memset(&instruction_pointers_copy[last_marker_index], 0xAB,
+           sizeof(instruction_pointers_copy[last_marker_index]));
+    std::memcpy(&instruction_pointers_copy[1], instruction_pointers,
+                std::min(kMaxStackSize - 2, stack_size) * sizeof(const void*));
+    base::debug::Alias(&stack_size);
+    base::debug::Alias(&instruction_pointers_copy);
+    base::debug::DumpWithoutCrashing();
+    stack_when_focused_view_set_.reset();
+  }
+
+  focused_view_->RemoveObserver(this);
+  focused_view_ = nullptr;
+}
+
 }  // namespace views