Fixes possible use after free in SessionService

Fixes possible use after free in SessionService

SessionService::GetLastSession used a base::Unretained but there was
no guarantee that the SessionService would be valid by the time the
callback was processed.

BUG=399655
TEST=covered by test now
R=marja@chromium.org

Committed: https://crrev.com/1a14f497bd17d41d0e0ffceb1fb23dea507b8eae
Cr-Commit-Position: refs/heads/master@{#291985}

[marja, 2014-08-26 14:48:09]

lgtm

A question (to understand this better): a base::Unretained is just a raw
pointer, whereas WeakPtr notices when the referenced object is destroyed and
becomes NULL. So we get a WeakPtr, bind it to OnGetSessions and post that
task... so which part notices that the pointer is now NULL and returns without
calling the function?

https://codereview.chromium.org/500143002/diff/20001/chrome/browser/sessions/...
File chrome/browser/sessions/base_session_service.h (right):

https://codereview.chromium.org/500143002/diff/20001/chrome/browser/sessions/...
chrome/browser/sessions/base_session_service.h:167: friend class
SessionServiceTestHelper;
Afaics this is not needed.

[sky, 2014-08-26 17:07:33]

On 2014/08/26 14:48:09, marja wrote:
> lgtm
> 
> A question (to understand this better): a base::Unretained is just a raw
> pointer, whereas WeakPtr notices when the referenced object is destroyed and
> becomes NULL. So we get a WeakPtr, bind it to OnGetSessions and post that
> task... so which part notices that the pointer is now NULL and returns without
> calling the function?

Search in base/bind_internal.h for weak_ptr. It only invoked the function if
weak_ptr.get() returns true. I'm pretty sure that is the code that gets run when
weakptrs are used with bind, but I would have to step through to be sure (all
the macros and templates may the code tricky to follow).

> 
>
https://codereview.chromium.org/500143002/diff/20001/chrome/browser/sessions/...
> File chrome/browser/sessions/base_session_service.h (right):
> 
>
https://codereview.chromium.org/500143002/diff/20001/chrome/browser/sessions/...
> chrome/browser/sessions/base_session_service.h:167: friend class
> SessionServiceTestHelper;
> Afaics this is not needed.

You're right. SessionService already friends it. Updated.

[sky, 2014-08-26 17:07:43]

The CQ bit was checked by sky@chromium.org

[commit-bot: I haz the power, 2014-08-26 17:08:35]

CQ is trying da patch. Follow status at
 https://chromium-status.appspot.com/cq/sky@chromium.org/500143002/40001

[commit-bot: I haz the power, 2014-08-26 18:12:08]

FYI, CQ is re-trying this CL (attempt #1).
The failing builders are:
  win_chromium_rel_swarming on tryserver.chromium.win
(http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)

[commit-bot: I haz the power, 2014-08-26 19:48:21]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2014-08-26 19:48:22]

Try jobs failed on following builders:
  win_chromium_rel_swarming on tryserver.chromium.win
(http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_rel_...)

[sky, 2014-08-26 20:14:54]

The CQ bit was checked by sky@chromium.org

[commit-bot: I haz the power, 2014-08-26 20:16:10]

CQ is trying da patch. Follow status at
 https://chromium-status.appspot.com/cq/sky@chromium.org/500143002/40001

[commit-bot: I haz the power, 2014-08-26 21:44:33]

Committed patchset #3 (40001) as 10f17cea8bec78945740c83c85e6dd3002326d74

[marja, 2014-08-27 07:11:21]

On 2014/08/26 17:07:33, sky wrote:
> Search in base/bind_internal.h for weak_ptr. It only invoked the function if
> weak_ptr.get() returns true. I'm pretty sure that is the code that gets run
when
> weakptrs are used with bind, but I would have to step through to be sure (all
> the macros and templates may the code tricky to follow).

Ah, I see. Thanks!

[commit-bot: I haz the power, 2014-09-10 02:45:43]

Patchset 3 (id:??) landed as
https://crrev.com/1a14f497bd17d41d0e0ffceb1fb23dea507b8eae
Cr-Commit-Position: refs/heads/master@{#291985}