[test] Fix UAF in cctest/test-memory-measurement/RandomizedTimeout

The test creates a mock platform. The bug was that the lifetime of the mock platform was shoter than the lifetime of the isolate. Even though the mock platform restores the old platfrom, a background thread may still have a pointer to the mock platform leading to UAF. Bug: v8:10690 Tbr: dinfuehr@chromium.rg Change-Id: Ic14bf408e5e3e9e7d07e01af545bb88c21462300 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2290850Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#68777}

[test] Fix UAF in cctest/test-memory-measurement/RandomizedTimeout
The test creates a mock platform. The bug was that the lifetime of the mock platform was shoter than the lifetime of the isolate. Even though the mock platform restores the old platfrom, a background thread may still have a pointer to the mock platform leading to UAF. Bug: v8:10690 Tbr: dinfuehr@chromium.rg Change-Id: Ic14bf408e5e3e9e7d07e01af545bb88c21462300 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2290850Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#68777}
9ff7156f · Ulan Degenbaev · Commit Bot · d4078c64 · 9ff7156f
Commit 9ff7156f authored Jul 09, 2020 by Ulan Degenbaev Committed by Commit Bot Jul 10, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 9 deletions

test-memory-measurement.cc test/cctest/heap/test-memory-measurement.cc +13 -9

No files found.
--- a/test/cctest/heap/test-memory-measurement.cc
+++ b/test/cctest/heap/test-memory-measurement.cc
@@ -134,15 +134,11 @@ namespace {
 class MockPlatform : public TestPlatform {
 public:
-  MockPlatform()
+  MockPlatform() : TestPlatform(), mock_task_runner_(new MockTaskRunner()) {
-      : old_platform_(i::V8::GetCurrentPlatform()),
-        mock_task_runner_(new MockTaskRunner()) {
    // Now that it's completely constructed, make this the current platform.
    i::V8::SetPlatformForTesting(this);
  }
-  ~MockPlatform() override { i::V8::SetPlatformForTesting(old_platform_); }
  std::shared_ptr<v8::TaskRunner> GetForegroundTaskRunner(
      v8::Isolate*) override {
    return mock_task_runner_;
@@ -169,6 +165,10 @@ class MockPlatform : public TestPlatform {
      UNREACHABLE();
    }
+    bool NonNestableTasksEnabled() const override { return true; }
+    bool NonNestableDelayedTasksEnabled() const override { return true; }
    bool IdleTasksEnabled() override { return false; }
    double Delay() { return delay_; }
@@ -184,7 +184,6 @@ class MockPlatform : public TestPlatform {
    double delay_ = -1;
    std::unique_ptr<Task> task_;
  };
-  v8::Platform* old_platform_;
  std::shared_ptr<MockTaskRunner> mock_task_runner_;
 };
@@ -203,16 +202,21 @@ class MockMeasureMemoryDelegate : public v8::MeasureMemoryDelegate {
 }  // namespace
 TEST(RandomizedTimeout) {
-  CcTest::InitializeVM();
  MockPlatform platform;
+  v8::Isolate::CreateParams create_params;
+  create_params.array_buffer_allocator = CcTest::array_buffer_allocator();
+  // We have to create the isolate manually here. Using CcTest::isolate() would
+  // lead to the situation when the isolate outlives MockPlatform which may lead
+  // to UAF on the background thread.
+  v8::Isolate* isolate = v8::Isolate::New(create_params);
  std::vector<double> delays;
  for (int i = 0; i < 10; i++) {
-    CcTest::isolate()->MeasureMemory(
+    isolate->MeasureMemory(std::make_unique<MockMeasureMemoryDelegate>());
-        std::make_unique<MockMeasureMemoryDelegate>());
    delays.push_back(platform.Delay());
    platform.PerformTask();
  }
  std::sort(delays.begin(), delays.end());
+  isolate->Dispose();
  CHECK_LT(delays[0], delays.back());
 }