[Backport] Security bug 421629753

Manual cherry-pick of patch originally reviewed on
https://skia-review.googlesource.com/c/skia/+/1002497:
Remove destructor calls on shutdown for static local variables

After thinking about it more and chatting some experienced folks,
I think I identified the wrong root cause in the linked bug and
thus had the wrong fix in https://skia-review.googlesource.com/c/skia/+/1001824

Skia was violating the style guide [1] and running into the reasons
that these non-trivial destructors are banned. sk_sp *has* a non-trivial
destructor - it does reference counting and possible destructing of
the held object. So even though SkImageFilterCache has a trivial
destructor, sk_sp's freeing was causing the problem.

    "when a program starts threads that are not joined at exit,
     those threads may attempt to access objects after their
     lifetime has ended if their destructor has already run."

Here's roughly what was going on, pieced together from the linked
crash log

1) Thread 0 creates children threads
2) Thread 5 called SkImageFilterCache::Get() to create static
   local sk_sp<SkImageFilterCache>. Let's call it Alice. The
   function returns a copy of sk_sp called Bob. Bob and Alice
   point to an object with refcount 2. Bob goes out of scope.
   and there's just Alice with refcount of 1.
3) Thread 0 begins to shutdown. Via __run_exit_handlers it calls
   the destructor for Alice, which upon hitting a refcount of 0
   free's the memory for the underlying cache.
4) Thread 5 is still plugging away and calls ::Get() which returns
   a new sk_sp (called Carol) with refcount 1 but pointing to
   a freed pointer.
5) Crash caught by sanitizer.

In a non-sanitizer build, step 5 is likely "nothing happens anyway"
or "segfault during shutdown".

To fix this, we don't want the static local to be an sk_sp, but
instead it should be a bare pointer. This ensures the object lives
all the way until the OS reclaims the memory.

[1] https://google.github.io/styleguide/cppguide.html#Static_and_Global_Variables

Change-Id: I134156898f840924f0ec7001d0eb7a11a45d6c53
Bug: b/421629753
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/1002497
Reviewed-by: Michael Ludwig <[email protected]>
Commit-Queue: Michael Ludwig <[email protected]>
Commit-Queue: Kaylee Lubick <[email protected]>
Auto-Submit: Kaylee Lubick <[email protected]>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/659334
Reviewed-by: Moss Heim <[email protected]>

Author: kjlubick

chromium/third_party/skia/src/core/SkFontMgr.cpp

@@ -152,8 +152,8 @@ sk_sp<SkTypeface> SkFontMgr::legacyMakeTypeface(const char familyName[], SkFontS
 }
 
 sk_sp<SkFontMgr> SkFontMgr::RefEmpty() {
-    static sk_sp<SkFontMgr> singleton(new SkEmptyFontMgr);
-    return singleton;
+    static SkFontMgr* singleton = new SkEmptyFontMgr();
+    return sk_ref_sp(singleton);
 }
 
 /**

chromium/third_party/skia/src/core/SkImageFilterCache.cpp

@@ -158,12 +158,11 @@ sk_sp<SkImageFilterCache> SkImageFilterCache::Create(size_t maxBytes) {
 
 sk_sp<SkImageFilterCache> SkImageFilterCache::Get(CreateIfNecessary createIfNecessary) {
     static SkOnce once;
-    static sk_sp<SkImageFilterCache> cache;
+    static SkImageFilterCache* cache = nullptr;
 
     if (createIfNecessary == CreateIfNecessary::kNo) {
-        return cache;
+        return sk_ref_sp(cache);
     }
-
-    once([]{ cache = SkImageFilterCache::Create(kDefaultCacheSize); });
-    return cache;
+    once([]{ cache = SkImageFilterCache::Create(kDefaultCacheSize).release(); });
+    return sk_ref_sp(cache);
 }

chromium/third_party/skia/src/gpu/ganesh/GrTestUtils.cpp

@@ -17,6 +17,7 @@
 #include "include/core/SkRRect.h"
 #include "include/core/SkRect.h"
 #include "include/private/base/SkMacros.h"
+#include "include/private/base/SkOnce.h"
 #include "include/private/gpu/ganesh/GrTypesPriv.h"
 #include "src/base/SkRandom.h"
 #include "src/core/SkRectPriv.h"
@@ -325,33 +326,34 @@ SkPathEffect::DashType TestDashPathEffect::onAsADash(DashInfo* info) const {
 
 sk_sp<SkColorSpace> TestColorSpace(SkRandom* random) {
     static sk_sp<SkColorSpace> gColorSpaces[3];
-    static bool gOnce;
-    if (!gOnce) {
-        gOnce = true;
+    static SkOnce once;
+    once([] {
         // No color space (legacy mode)
         gColorSpaces[0] = nullptr;
         // sRGB or color-spin sRGB
-        gColorSpaces[1] = SkColorSpace::MakeSRGB();
-        gColorSpaces[2] = SkColorSpace::MakeSRGB()->makeColorSpin();
-    }
-    return gColorSpaces[random->nextULessThan(static_cast<uint32_t>(std::size(gColorSpaces)))];
+        gColorSpaces[1] = SkColorSpace::MakeSRGB().release();
+        gColorSpaces[2] = SkColorSpace::MakeSRGB()->makeColorSpin().release();
+    });
+    return sk_ref_sp(
+            gColorSpaces[random->nextULessThan(static_cast<uint32_t>(std::size(gColorSpaces)))]);
 }
 
 sk_sp<GrColorSpaceXform> TestColorXform(SkRandom* random) {
     // TODO: Add many more kinds of xforms here
     static sk_sp<GrColorSpaceXform> gXforms[3];
-    static bool gOnce;
-    if (!gOnce) {
-        gOnce = true;
+    static SkOnce once;
+    once([] {
         sk_sp<SkColorSpace> srgb = SkColorSpace::MakeSRGB();
         sk_sp<SkColorSpace> spin = SkColorSpace::MakeSRGB()->makeColorSpin();
         // No gamut change
         gXforms[0] = nullptr;
-        gXforms[1] = GrColorSpaceXform::Make(srgb.get(), kPremul_SkAlphaType,
-                                             spin.get(), kPremul_SkAlphaType);
-        gXforms[2] = GrColorSpaceXform::Make(spin.get(), kPremul_SkAlphaType,
-                                             srgb.get(), kPremul_SkAlphaType);
-    }
+        gXforms[1] = GrColorSpaceXform::Make(
+                             srgb.get(), kPremul_SkAlphaType, spin.get(), kPremul_SkAlphaType)
+                             .release();
+        gXforms[2] = GrColorSpaceXform::Make(
+                             spin.get(), kPremul_SkAlphaType, srgb.get(), kPremul_SkAlphaType)
+                             .release();
+    });
     return gXforms[random->nextULessThan(static_cast<uint32_t>(std::size(gXforms)))];
 }