Eliminate a potential race in IPC::ChannelProxy

Doing the following steps with ChannelProxy leads to a data race:
1) Create the ChannelProxy, but don't initialize it.
2) Add a filter.
3) Init the ChannelProxy.

The problem is, AddFilter() posts a task from the Listener thread to the IPC task runner to do OnAddFilter. Prior to this patch, OnAddFilter will try to read channel_ even though channel_ may not have been initialized, and it's accessed without any synchronization.

This patch only really adds the filter if peer_pid_ has been set on the IPC::Channel thread; otherwise, it waits until the connection has been established to really add filters.

See the bug for more detail.

BUG=244383

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=256188

Review URL: https://codereview.chromium.org/183553004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@258406 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 0 deletions

diff --git a/ipc/ipc_channel_proxy.h b/ipc/ipc_channel_proxy.h
index dca8c97..b0247c4 100644
--- a/ipc/ipc_channel_proxy.h
+++ b/ipc/ipc_channel_proxy.h
@@ -233,6 +233,10 @@ class IPC_EXPORT ChannelProxy : public Sender, public base::NonThreadSafe {
     // List of filters.  This is only accessed on the IPC thread.
     std::vector<scoped_refptr<MessageFilter> > filters_;
     scoped_refptr<base::SingleThreadTaskRunner> ipc_task_runner_;
+
+    // Note, channel_ may be set on the Listener thread or the IPC thread.
+    // But once it has been set, it must only be read or cleared on the IPC
+    // thread.
     scoped_ptr<Channel> channel_;
     std::string channel_id_;
     bool channel_connected_called_;