Fix ABA problem when iterating epoll events.

Original patch contributed by andrey.semashev@gmail.com.

In PhysicalSocketServer::WaitEpoll(), the loop verifies that the
signalled dispatcher is in dispatchers_ set. It does so by looking up
the dispatcher pointer in the set. This is vulnerable to the ABA
problem because one dispatcher may be removed and destroyed and another
created and added with the same address before epoll reports an event
for the old dispatcher. The same issue exists for other Wait
implementations, if a dispatcher is removed and a new one added with
the same socket handle is the old.

This is avoided by using a 64-bit key for looking up the dispatcher
in the set. The key is set from a running counter which gets incremented
when a dispatcher is added to the set, so even if the same dispatcher
pointer is added, removed and added again, the key value will be
different.

This changes the storage of dispatchers_ from a set to a flat_hash_map,
which uses a bit more memory but has faster lookup (O(1) as opposed to
O(log n)).

Bug: webrtc:11124
Change-Id: I6d206e1a367b58ba971edca9b48af7664384b797
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/181027
Commit-Queue: Taylor <deadbeef@webrtc.org>
Reviewed-by: Karl Wiberg <kwiberg@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#32019}

rtc_base/physical_socket_server.h

@@ -18,7 +18,7 @@
 
 #include <array>
 #include <memory>
-#include <set>
+#include <unordered_map>
 #include <vector>
 
 #include "rtc_base/deprecated/recursive_critical_section.h"
@@ -85,17 +85,13 @@ class RTC_EXPORT PhysicalSocketServer : public SocketServer {
   // The number of events to process with one call to "epoll_wait".
   static constexpr size_t kNumEpollEvents = 128;
 
-  typedef std::set<Dispatcher*> DispatcherSet;
-
-  void AddRemovePendingDispatchers() RTC_EXCLUSIVE_LOCKS_REQUIRED(crit_);
-
 #if defined(WEBRTC_POSIX)
   bool WaitSelect(int cms, bool process_io);
 #endif  // WEBRTC_POSIX
 #if defined(WEBRTC_USE_EPOLL)
-  void AddEpoll(Dispatcher* dispatcher);
+  void AddEpoll(Dispatcher* dispatcher, uint64_t key);
   void RemoveEpoll(Dispatcher* dispatcher);
-  void UpdateEpoll(Dispatcher* dispatcher);
+  void UpdateEpoll(Dispatcher* dispatcher, uint64_t key);
   bool WaitEpoll(int cms);
   bool WaitPoll(int cms, Dispatcher* dispatcher);
 
@@ -106,16 +102,31 @@ class RTC_EXPORT PhysicalSocketServer : public SocketServer {
   std::array<epoll_event, kNumEpollEvents> epoll_events_;
   const int epoll_fd_ = INVALID_SOCKET;
 #endif  // WEBRTC_USE_EPOLL
-  DispatcherSet dispatchers_ RTC_GUARDED_BY(crit_);
-  DispatcherSet pending_add_dispatchers_ RTC_GUARDED_BY(crit_);
-  DispatcherSet pending_remove_dispatchers_ RTC_GUARDED_BY(crit_);
-  bool processing_dispatchers_ RTC_GUARDED_BY(crit_) = false;
+  // uint64_t keys are used to uniquely identify a dispatcher in order to avoid
+  // the ABA problem during the epoll loop (a dispatcher being destroyed and
+  // replaced by one with the same address).
+  uint64_t next_dispatcher_key_ RTC_GUARDED_BY(crit_) = 0;
+  std::unordered_map<uint64_t, Dispatcher*> dispatcher_by_key_
+      RTC_GUARDED_BY(crit_);
+  // Reverse lookup necessary for removals/updates.
+  std::unordered_map<Dispatcher*, uint64_t> key_by_dispatcher_
+      RTC_GUARDED_BY(crit_);
+  // A list of dispatcher keys that we're interested in for the current
+  // select() or WSAWaitForMultipleEvents() loop. Again, used to avoid the ABA
+  // problem (a socket being destroyed and a new one created with the same
+  // handle, erroneously receiving the events from the destroyed socket).
+  //
+  // Kept as a member variable just for efficiency.
+  std::vector<uint64_t> current_dispatcher_keys_;
   Signaler* signal_wakeup_;  // Assigned in constructor only
   RecursiveCriticalSection crit_;
 #if defined(WEBRTC_WIN)
   const WSAEVENT socket_ev_;
 #endif
   bool fWait_;
+  // Are we currently in a select()/epoll()/WSAWaitForMultipleEvents loop?
+  // Used for a DCHECK, because we don't support reentrant waiting.
+  bool waiting_ = false;
 };
 
 class PhysicalSocket : public AsyncSocket, public sigslot::has_slots<> {