MTECheckedPtr: Un-rewrite select members

Note: This CL introduces zero behavioral change, as MTECheckedPtr is not enabled by default for anybody. Before we can enable MTECheckedPtr for anybody, we need to pass CQ. To that end, we can't chase down every potential UaF surfaced by the unit tests (at least, not yet). This change un-rewrites various members (this CL is confined to /base) that cause various test suites to fail. The failing suites are named in the TODO line. This change will be undone when we conclude experimentation with MTECheckedPtr. This CL was uploaded by git cl split. R=thakis@chromium.org Bug: 1298696 Change-Id: I507a97099300014be76c07b7db0be1ce1b5cf3d7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3740361 Commit-Queue: Mark Mentovai <mark@chromium.org> Auto-Submit: Kalvin Lee <kdlee@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org> Cr-Commit-Position: refs/heads/main@{#1019988}
Denger-Network · Jul 1, 2022 · 6e3b211 · 6e3b211
1 parent 1272210
commit 6e3b211
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 5 deletions.
diff --git a/base/big_endian.h b/base/big_endian.h
@@ -137,8 +137,9 @@ class BASE_EXPORT BigEndianWriter {
   template<typename T>
   bool Write(T v);
 
-  raw_ptr<char, DanglingUntriaged> ptr_;
-  raw_ptr<char, DanglingUntriaged> end_;
+  // TODO(crbug.com/1298696): Breaks net_unittests.
+  raw_ptr<char, DanglingUntriagedDegradeToNoOpWhenMTE> ptr_;
+  raw_ptr<char, DanglingUntriagedDegradeToNoOpWhenMTE> end_;
 };
 
 }  // namespace base

diff --git a/base/files/file_descriptor_watcher_posix.h b/base/files/file_descriptor_watcher_posix.h
@@ -75,7 +75,9 @@ class BASE_EXPORT FileDescriptorWatcher {
     // Controller is deleted, ownership of |watcher_| is transfered to a delete
     // task posted to the MessageLoopForIO. This ensures that |watcher_| isn't
     // deleted while it is being used by the MessageLoopForIO.
-    raw_ptr<Watcher, DanglingUntriaged> watcher_;
+    //
+    // TODO(crbug.com/1298696): Breaks base_unittests.
+    raw_ptr<Watcher, DanglingUntriagedDegradeToNoOpWhenMTE> watcher_;
 
     // An event for the watcher to notify controller that it's destroyed.
     // As the |watcher_| is owned by Controller, always outlives the Watcher.

diff --git a/base/files/memory_mapped_file.h b/base/files/memory_mapped_file.h
@@ -139,7 +139,8 @@ class BASE_EXPORT MemoryMappedFile {
   void CloseHandles();
 
   File file_;
-  raw_ptr<uint8_t> data_;
+  // TODO(crbug.com/1298696): Breaks one of the test suites.
+  raw_ptr<uint8_t, DegradeToNoOpWhenMTE> data_;
   size_t length_;
 
 #if BUILDFLAG(IS_WIN)

diff --git a/base/synchronization/waitable_event_watcher.h b/base/synchronization/waitable_event_watcher.h
@@ -145,7 +145,9 @@ class BASE_EXPORT WaitableEventWatcher
   scoped_refptr<Flag> cancel_flag_;
 
   // Enqueued in the wait list of the watched WaitableEvent.
-  raw_ptr<AsyncWaiter, DanglingUntriaged> waiter_ = nullptr;
+  //
+  // TODO(crbug.com/1298696): Breaks base_unittests.
+  raw_ptr<AsyncWaiter, DanglingUntriagedDegradeToNoOpWhenMTE> waiter_ = nullptr;
 
   // Kernel of the watched WaitableEvent.
   scoped_refptr<WaitableEvent::WaitableEventKernel> kernel_;