Don't delete TargetProcess with SpawnCleanup.

If AssociateCompletionPort fails, BrokerServicesBase::SpawnTarget
returns with SpawnCleanup trying to delete TargetProcess.
If code reaches there, TargetProcess is already owned by PolicyBase.

BUG=480639

Review URL: https://codereview.chromium.org/1149213002

Cr-Commit-Position: refs/heads/master@{#331103}

1 files changed, 5 insertions, 2 deletions

diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
index fec98f9..57aa51a 100644
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -520,8 +520,11 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
   policy_base->AddRef();
   if (job.IsValid()) {
     scoped_ptr<JobTracker> tracker(new JobTracker(job.Take(), policy_base));
-    if (!AssociateCompletionPort(tracker->job, job_port_, tracker.get()))
-      return SpawnCleanup(target, 0);
+
+    // There is no obvious recovery after failure here. Previous version with
+    // SpawnCleanup() caused deletion of TargetProcess twice. crbug.com/480639
+    CHECK(AssociateCompletionPort(tracker->job, job_port_, tracker.get()));
+
     // Save the tracker because in cleanup we might need to force closing
     // the Jobs.
     tracker_list_.push_back(tracker.release());