Fix a use after free crasher in the ReadAsync task initiated on Windows by the FileStream::Context:…

net/base/file_stream_context.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This file defines FileStream::Context class.
 // The general design of FileStream is as follows: file_stream.h defines
 // FileStream class which basically is just an "wrapper" not containing any
 // specific implementation details. It re-routes all its method calls to
 // the instance of FileStream::Context (FileStream holds a scoped_ptr to
 // FileStream::Context instance). Context was extracted into a different class
@@ skipping 143 matching lines @@
   void OnFileOpened();
 
 #if defined(OS_WIN)
   void IOCompletionIsPending(const CompletionCallback& callback, IOBuffer* buf);
 
   // Implementation of MessageLoopForIO::IOHandler.
   virtual void OnIOCompleted(base::MessageLoopForIO::IOContext* context,
                              DWORD bytes_read,
                              DWORD error) override;
 
+  // Invokes the user callback.
+  void InvokeUserCallback();
+
   // The ReadFile call on Windows can execute synchonously at times.
   // http://support.microsoft.com/kb/156932. This ends up blocking the calling
   // thread which is undesirable. To avoid this we execute the ReadFile call
   // on a worker thread.
-  // The |context| parameter is a weak pointer instance passed to the worker
-  // pool.
+  // The |context| parameter is a pointer to the current Context instance. It
+  // is safe to pass this as is to the pool as the Context instance should
+  // remain valid until the pending Read operation completes.
   // The |file| parameter is the handle to the file being read.
   // The |buf| parameter is the buffer where we want the ReadFile to read the
   // data into.
   // The |buf_len| parameter contains the number of bytes to be read.
   // The |overlapped| parameter is a pointer to the OVERLAPPED structure being
   // used.
   // The |origin_thread_loop| is a MessageLoopProxy instance used to post tasks
   // back to the originating thread.
   static void ReadAsync(
-      const base::WeakPtr<FileStream::Context>& context,
+      FileStream::Context* context,
       HANDLE file,
       scoped_refptr<net::IOBuffer> buf,
       int buf_len,
       OVERLAPPED* overlapped,
       scoped_refptr<base::MessageLoopProxy> origin_thread_loop);
 
   // This callback executes on the main calling thread. It informs the caller
   // about the result of the ReadFile call.
+  // The |bytes_read| contains the number of bytes read from the file, if
+  // ReadFile succeeds.
   // The |os_error| parameter contains the value of the last error returned by
   // the ReadFile API.
-  void ReadAsyncResult(DWORD os_error);
+  void ReadAsyncResult(DWORD bytes_read, DWORD os_error);
 
 #elif defined(OS_POSIX)
   // ReadFileImpl() is a simple wrapper around read() that handles EINTR
   // signals and calls RecordAndMapError() to map errno to net error codes.
   IOResult ReadFileImpl(scoped_refptr<IOBuffer> buf, int buf_len);
 
   // WriteFileImpl() is a simple wrapper around write() that handles EINTR
   // signals and calls MapSystemError() to map errno to net error codes.
   // It tries to write to completion.
   IOResult WriteFileImpl(scoped_refptr<IOBuffer> buf, int buf_len);
 #endif
 
   base::File file_;
   bool async_in_progress_;
   bool orphaned_;
   scoped_refptr<base::TaskRunner> task_runner_;
 
 #if defined(OS_WIN)
   base::MessageLoopForIO::IOContext io_context_;
   CompletionCallback callback_;
   scoped_refptr<IOBuffer> in_flight_buf_;
-  // WeakPtrFactory for posting tasks back to |this|.
-  base::WeakPtrFactory<Context> weak_ptr_factory_;
+  // This flag is set to true when we receive a Read request which is queued to
+  // the thread pool.
+  bool async_read_initiated_;
+  // This flag is set to true when we receive a notification ReadAsyncResult()
+  // on the calling thread which indicates that the asynchronous Read
+  // operation is complete.
+  bool async_read_completed_;
+  // This flag is set to true when we receive an IO completion notification for
+  // an asynchonously initiated Read operaton. OnIOComplete().
+  bool io_complete_for_read_received_;
+  // Tracks the result of the IO completion operation. Set in OnIOComplete.
+  int result_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(Context);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_FILE_STREAM_CONTEXT_H_