-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rewrite most Foo* field_
pointer fields to raw_ptr<Foo> field_
#3239
Comments
The benefits here may require PartitionAlloc, in which case we won’t get them when the allocator shim is disabled (see #3061) |
This is enabled by default on Mac in M125 but we can't use it until raw_ptr<> is supported by libcef. For background see https://chromium.googlesource.com/chromium/src/+/main/docs/dangling_ptr.md
We can also restore the unretained dangling pointer detector crash-by-default behavior after this issue is resolved. See #3693. |
According to this chart, PartitionAlloc-Everywhere (PA-E) (use_partition_alloc_as_malloc) is not available in component builds, meaning that build support for Use-after-Free protection via BackupRefPtr (BRP) (enable_backup_ref_ptr_support) will require non-component builds. The actual requirement appears to be |
Generating a Release build on Windows (M125) with
|
Some problems trying to build the rewrite tool on Windows: https://issues.chromium.org/issues/327699485#comment4 |
Building the rewrite tool works on Ubuntu 22. The "Make sure out/rewrite/gen/…../some-generated-header.h files are built" step fails due to too many arguments. Using this version instead to build 1000 targets at a time (executes ~20k steps vs ~65k for a full build):
Also need to generate the CEF headers:
|
The clang scripts ignore directories that are not part of the main Chromium src repository by default, so we need to modify them a bit to work with the cef directory (apply clang_scripts.patch). We can then run with the following extract of rewrite.sh:
Result:
|
This is a very useful feature that we'll enable by default in non-Official builds where BackupRefPtr is supported. From the commit, the runtime penalty for this is <10%. |
Compatible configurations include: - Non-component builds. - Debug builds on Mac/Linux. - Release builds on Windows (b/c Debug builds require component builds). - ASAN builds (which are also Release builds). See related logic in //build_overrides/partition_alloc.gni
- Use raw_ptr in class container fields. - Use defined lifespan for StreamReaderURLLoader. - Fix lifespan assumptions for WebContents/RFH usage.
OnBeforeClose notification is delivered via TabModel destruction in TabStripModel::SendDetachWebContentsNotifications. We need to let that call stack unwind before triggering TabStripModel destruction via closure of the native host window.
Found using a CEF build with clang_use_chrome_plugins=true and treat_warnings_as_errors=false. This change rewrites remaining raw pointers reported by chromium-rawptr checker and fixes a build error reported by StackAllocatedChecker.
Found using a CEF build with clang_use_chrome_plugins=true and treat_warnings_as_errors=false. This change rewrites remaining raw pointers reported by chromium-rawptr checker and fixes a build error reported by StackAllocatedChecker.
Original report by me.
Chromium has introduced a new
raw_ptr<>
type that potentially offers protection against use-after-free bugs. We should look at using this type in CEF (libcef/ code) as well.For more information, see MiraclePtr One Pager [1], the PSA at chromium-dev@ [2], and the raw_ptr documentation at //base/memory/raw_ptr.md.
There is a script for automatically performing the conversion here and related Chromium changes in issue #1073933.
[1] https://docs.google.com/document/d/1pnnOAIz_DMWDI4oIOFoMAqLnf_MZ2GsrJNb_dbQ3ZBg/edit?usp=sharing
[2] https://groups.google.com/a/chromium.org/g/chromium-dev/c/vAEeVifyf78/m/SkBUc6PhBAAJ
The text was updated successfully, but these errors were encountered: