Fix sort order of unlaunched apps on app list start page.
[chromium-blink-merge.git] / base / files / protect_file_posix.cc
blobe4753c4019f2e40e466c9b66ca09f4b1aa8fe282
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/containers/hash_tables.h"
6 #include "base/files/file.h"
7 #include "base/lazy_instance.h"
8 #include "base/logging.h"
9 #include "base/posix/eintr_wrapper.h"
10 #include "base/synchronization/lock.h"
12 // These hooks provided for base::File perform additional sanity checks when
13 // files are closed. These extra checks are hard to understand and maintain,
14 // hence they are temporary. TODO(pasko): Remove these extra checks as soon as
15 // crbug.com/424562 is fixed.
17 // Background:
18 // 1. The browser process crashes if a call to close() provided by the C
19 // library (i.e. close(3)) fails. This is done for security purposes. See
20 // base/files/scoped_file.cc. When a crash like this happens, there is not
21 // enough context in the minidump to triage the problem.
22 // 2. base::File provides a good abstraction to prevent closing incorrect
23 // file descriptors or double-closing. Closing non-owned file descriptors
24 // would more likely happen from outside base::File and base::ScopedFD.
26 // These hooks intercept base::File operations to 'protect' file handles /
27 // descriptors from accidental close(3) by other portions of the code being
28 // linked into the browser. Also, this file provides an interceptor for the
29 // close(3) itself, and requires to be linked with cooperation of
30 // --Wl,--wrap=close (i.e. linker wrapping).
32 // Wrapping close(3) on all libraries can lead to confusion, particularly for
33 // the libraries that do not use ::base (I am also looking at you,
34 // crazy_linker). Instead two hooks are added to base::File, which are
35 // implemented as no-op by default. This file should be linked into the Chrome
36 // native binary(-ies) for a whitelist of targets where "file descriptor
37 // protection" is useful.
39 // With compilers other than GCC/Clang the wrapper is trivial. This is to avoid
40 // overexercising mechanisms for overriding weak symbols.
41 #if !defined(COMPILER_GCC)
42 extern "C" {
44 int __real_close(int fd);
46 BASE_EXPORT int __wrap_close(int fd) {
47 return __real_close(fd);
50 } // extern "C"
52 #else // defined(COMPILER_GCC)
54 namespace {
56 // Protects the |g_protected_fd_set|.
57 base::LazyInstance<base::Lock>::Leaky g_lock = LAZY_INSTANCE_INITIALIZER;
59 // Holds the set of all 'protected' file descriptors.
60 base::LazyInstance<base::hash_set<int> >::Leaky g_protected_fd_set =
61 LAZY_INSTANCE_INITIALIZER;
63 bool IsFileDescriptorProtected(int fd) {
64 base::AutoLock lock(*g_lock.Pointer());
65 return g_protected_fd_set.Get().count(fd) != 0;
68 } // namespace
70 namespace base {
72 BASE_EXPORT void ProtectFileDescriptor(int fd) {
73 base::AutoLock lock(g_lock.Get());
74 CHECK(!g_protected_fd_set.Get().count(fd)) << "fd: " << fd;
75 g_protected_fd_set.Get().insert(fd);
78 BASE_EXPORT void UnprotectFileDescriptor(int fd) {
79 base::AutoLock lock(*g_lock.Pointer());
80 CHECK(g_protected_fd_set.Get().erase(fd)) << "fd: " << fd;
83 } // namespace base
85 extern "C" {
87 int __real_close(int fd);
89 BASE_EXPORT int __wrap_close(int fd) {
90 // The crash happens here if a protected file descriptor was attempted to be
91 // closed without first being unprotected. Unprotection happens only in
92 // base::File. In other words this is an "early crash" as compared to the one
93 // happening in scoped_file.cc.
95 // Getting an earlier crash provides a more useful stack trace (minidump)
96 // allowing to debug deeper into the thread that freed the wrong resource.
97 CHECK(!IsFileDescriptorProtected(fd)) << "fd: " << fd;
99 // Crash by the same reason as in scoped_file.cc.
100 PCHECK(0 == IGNORE_EINTR(__real_close(fd)));
101 return 0;
104 } // extern "C"
106 #endif // defined(COMPILER_GCC)