Reland: Mojo EDK: Improve internal process handle ownership
Reland of r555117 with process handle leak fixed. Original commit
message follows.
Mojo passes around base::ProcessHandle values for various reasons. On
most systems this is fine, but at least on Windows, a ProcessHandle
refers to an owned reference to a system process object, and if not
careful it's possible for a base::ProcessHandle value to inadvertently
change meaning over time.
This CL introduces the concept of a move-only ScopedProcessHandle
within Mojo, which on most platforms is just a base::PlatformHandle.
On Windows, this represents an owned base::ProcessHandle which closes
on destruction and clones correctly using DuplicateHandle rather than
merely copying the raw handle value.
ScopedProcessHandle is used in a few places where process handle
ownership semantics were previously weaker than necessary, or were
correct but implemented ad hoc.
This also updates ScopedPlatformHandle (and supporting code like
Channel::RewriteHandles) such that the |owning_process| field (if not
the current process) is always an owned process handle. This ensures
that when such handles are closed in unsent messages, they can be
safely closed in the target process (from within the source process)
without any risk of raciness against target process termination.
TBR=jcivelli@chromium.org
Bug: 837612
Change-Id: I28aaa04ca09f483e7e6f073db2edb762893a8b17
Reviewed-on: https://chromium-review.googlesource.com/1065129
Commit-Queue: Ken Rockot <rockot@chromium.org>
Reviewed-by: Ken Rockot <rockot@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559777}
CrOS-Libchrome-Original-Commit: a9ba958ea40196b4de231fc1dffd8c6bacdb83ac
10 files changed