diff options
author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-10 01:04:48 +0000 |
---|---|---|
committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-10 01:04:48 +0000 |
commit | 18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a (patch) | |
tree | 98b04a0f1e64dcdcbad7123e7dcce49d7cc93546 | |
parent | f5857bc22887f8bffe9fb3135768aa0286a927eb (diff) | |
download | chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.zip chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.tar.gz chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.tar.bz2 |
Fix another race condition on worker process shutdown that results in use-after-free. Like 23018, this is happening because valgrind is slowing the worker thread shutdown enough that the backup terminate process code executes.
BUG=24346
TEST=covered by valgrind
Review URL: http://codereview.chromium.org/266036
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@28646 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/renderer/webworker_proxy.cc | 3 | ||||
-rw-r--r-- | chrome/renderer/webworker_proxy.h | 1 | ||||
-rw-r--r-- | chrome/worker/nativewebworker_impl.cc | 3 | ||||
-rw-r--r-- | chrome/worker/nativewebworker_impl.h | 1 | ||||
-rw-r--r-- | chrome/worker/webworkerclient_proxy.cc | 1 | ||||
-rw-r--r-- | tools/valgrind/memcheck/suppressions.txt | 34 | ||||
-rw-r--r-- | webkit/api/public/WebWorker.h | 1 | ||||
-rw-r--r-- | webkit/glue/webworker_impl.cc | 22 | ||||
-rw-r--r-- | webkit/glue/webworker_impl.h | 1 | ||||
-rw-r--r-- | webkit/tools/test_shell/test_web_worker.h | 2 |
10 files changed, 34 insertions, 35 deletions
diff --git a/chrome/renderer/webworker_proxy.cc b/chrome/renderer/webworker_proxy.cc index b350470..3932d6e 100644 --- a/chrome/renderer/webworker_proxy.cc +++ b/chrome/renderer/webworker_proxy.cc @@ -97,6 +97,9 @@ void WebWorkerProxy::workerObjectDestroyed() { delete this; } +void WebWorkerProxy::clientDestroyed() { +} + bool WebWorkerProxy::Send(IPC::Message* message) { // It's possible that postMessage is called before the worker is created, in // which case route_id_ will be none. Or the worker object can be interacted diff --git a/chrome/renderer/webworker_proxy.h b/chrome/renderer/webworker_proxy.h index d47f3fb..8c53a67 100644 --- a/chrome/renderer/webworker_proxy.h +++ b/chrome/renderer/webworker_proxy.h @@ -38,6 +38,7 @@ class WebWorkerProxy : public WebKit::WebWorker, const WebKit::WebString& message, const WebKit::WebMessagePortChannelArray& channel_array); virtual void workerObjectDestroyed(); + virtual void clientDestroyed(); // IPC::Channel::Listener implementation. void OnMessageReceived(const IPC::Message& message); diff --git a/chrome/worker/nativewebworker_impl.cc b/chrome/worker/nativewebworker_impl.cc index 1383e63..58a5c07 100644 --- a/chrome/worker/nativewebworker_impl.cc +++ b/chrome/worker/nativewebworker_impl.cc @@ -164,3 +164,6 @@ void NativeWebWorkerImpl::postMessageToWorkerContext( void NativeWebWorkerImpl::workerObjectDestroyed() { } + +void NativeWebWorkerImpl::clientDestroyed() { +} diff --git a/chrome/worker/nativewebworker_impl.h b/chrome/worker/nativewebworker_impl.h index 29d85c9..2407136 100644 --- a/chrome/worker/nativewebworker_impl.h +++ b/chrome/worker/nativewebworker_impl.h @@ -31,6 +31,7 @@ class NativeWebWorkerImpl : public WebKit::WebWorker { const WebKit::WebString& message, const WebKit::WebMessagePortChannelArray& channels); void workerObjectDestroyed(); + void clientDestroyed(); private: WebKit::WebWorkerClient* client_; diff --git a/chrome/worker/webworkerclient_proxy.cc b/chrome/worker/webworkerclient_proxy.cc index de31734..9fe0870 100644 --- a/chrome/worker/webworkerclient_proxy.cc +++ b/chrome/worker/webworkerclient_proxy.cc @@ -60,6 +60,7 @@ WebWorkerClientProxy::WebWorkerClientProxy(const GURL& url, int route_id) } WebWorkerClientProxy::~WebWorkerClientProxy() { + impl_->clientDestroyed(); WorkerThread::current()->RemoveRoute(route_id_); ChildProcess::current()->ReleaseProcess(); } diff --git a/tools/valgrind/memcheck/suppressions.txt b/tools/valgrind/memcheck/suppressions.txt index 8f83c3f..7dee796 100644 --- a/tools/valgrind/memcheck/suppressions.txt +++ b/tools/valgrind/memcheck/suppressions.txt @@ -966,24 +966,6 @@ fun:_ZN7WebCore5Frame4initEv } { - bug_23018_a - Memcheck:Addr4 - fun:_ZN12_GLOBAL__N_115KillProcessTask3RunEv - fun:_ZN11MessageLoop7RunTaskEP4Task - fun:_ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE - fun:_ZN11MessageLoop13DoDelayedWorkEPN4base4TimeE -} -{ - # This is the same callstack as above, but for whatever reason the signature - # of the top line, KillProcessTask::Run(), is displayed differently. - bug_23018_b - Memcheck:Addr4 - fun:_ZN122_GLOBAL__N__b_slave_chromium_rel_linux_valgrind_builder_build_src_chrome_worker_webworkerclient_proxy.cc_00000000_BBD84F3C15KillProcessTask3RunEv - fun:_ZN11MessageLoop7RunTaskEP4Task - fun:_ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE - fun:_ZN11MessageLoop13DoDelayedWorkEPN4base4TimeE -} -{ bug_23151 Memcheck:Addr4 ... @@ -1105,19 +1087,3 @@ fun:_ZN11MessageLoop11RunInternalEv fun:_ZN11MessageLoop10RunHandlerEv } -{ - bug_24346 - Memcheck:Addr4 - fun:_ZN13WebWorkerImpl25ReportPendingActivityTaskEPN7WebCore22ScriptExecutionContextEPS_b - fun:_ZN7WebCore18GenericWorkerTask2IP13WebWorkerImplS2_bbE11performTaskEPNS_22ScriptExecutionContextE - fun:_ZN13WebWorkerImpl16InvokeTaskMethodEPv - fun:_ZN3WTF31dispatchFunctionsFromMainThreadEv - fun:_Z18DispatchToFunctionIPFvvEEvT_RK6Tuple0 - fun:_ZN16RunnableFunctionIPFvvE6Tuple0E3RunEv - fun:_ZN11MessageLoop7RunTaskEP4Task - fun:_ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE - fun:_ZN11MessageLoop6DoWorkEv - fun:_ZN4base18MessagePumpDefault3RunEPNS_11MessagePump8DelegateE - fun:_ZN11MessageLoop11RunInternalEv - fun:_ZN11MessageLoop10RunHandlerEv -} diff --git a/webkit/api/public/WebWorker.h b/webkit/api/public/WebWorker.h index 1424161..c2f0250 100644 --- a/webkit/api/public/WebWorker.h +++ b/webkit/api/public/WebWorker.h @@ -53,6 +53,7 @@ namespace WebKit { const WebString&, const WebMessagePortChannelArray&) = 0; virtual void workerObjectDestroyed() = 0; + virtual void clientDestroyed() = 0; }; } // namespace WebKit diff --git a/webkit/glue/webworker_impl.cc b/webkit/glue/webworker_impl.cc index a2e70c4..18f3870 100644 --- a/webkit/glue/webworker_impl.cc +++ b/webkit/glue/webworker_impl.cc @@ -218,6 +218,10 @@ void WebWorkerImpl::workerObjectDestroyed() { terminateWorkerContext(); } +void WebWorkerImpl::clientDestroyed() { + client_ = NULL; +} + void WebWorkerImpl::DispatchTaskToMainThread( PassRefPtr<WebCore::ScriptExecutionContext::Task> task) { return WTF::callOnMainThread(InvokeTaskMethod, task.releaseRef()); @@ -247,6 +251,9 @@ void WebWorkerImpl::PostMessageTask( WebWorkerImpl* this_ptr, WebCore::String message, WTF::PassOwnPtr<WebCore::MessagePortChannelArray> channels) { + if (!this_ptr->client_) + return; + WebMessagePortChannelArray web_channels( channels.get() ? channels->size() : 0); for (size_t i = 0; i < web_channels.size(); ++i) { @@ -276,6 +283,9 @@ void WebWorkerImpl::PostExceptionTask( const WebCore::String& error_message, int line_number, const WebCore::String& source_url) { + if (!this_ptr->client_) + return; + this_ptr->client_->postExceptionToWorkerObject( webkit_glue::StringToWebString(error_message), line_number, @@ -312,6 +322,9 @@ void WebWorkerImpl::PostConsoleMessageTask( const WebCore::String& message, int line_number, const WebCore::String& source_url) { + if (!this_ptr->client_) + return; + this_ptr->client_->postConsoleMessageToWorkerObject( destination, source, @@ -333,6 +346,9 @@ void WebWorkerImpl::ConfirmMessageTask( WebCore::ScriptExecutionContext* context, WebWorkerImpl* this_ptr, bool has_pending_activity) { + if (!this_ptr->client_) + return; + this_ptr->client_->confirmMessageFromWorkerObject(has_pending_activity); } @@ -347,6 +363,9 @@ void WebWorkerImpl::ReportPendingActivityTask( WebCore::ScriptExecutionContext* context, WebWorkerImpl* this_ptr, bool has_pending_activity) { + if (!this_ptr->client_) + return; + this_ptr->client_->reportPendingActivity(has_pending_activity); } @@ -373,7 +392,8 @@ void WebWorkerImpl::postTaskForModeToWorkerContext( void WebWorkerImpl::WorkerContextDestroyedTask( WebCore::ScriptExecutionContext* context, WebWorkerImpl* this_ptr) { - this_ptr->client_->workerContextDestroyed(); + if (this_ptr->client_) + this_ptr->client_->workerContextDestroyed(); // The lifetime of this proxy is controlled by the worker context. delete this_ptr; diff --git a/webkit/glue/webworker_impl.h b/webkit/glue/webworker_impl.h index 165b35d..33c7b05 100644 --- a/webkit/glue/webworker_impl.h +++ b/webkit/glue/webworker_impl.h @@ -68,6 +68,7 @@ class WebWorkerImpl: public WebCore::WorkerObjectProxy, const WebKit::WebString& message, const WebKit::WebMessagePortChannelArray& channel); virtual void workerObjectDestroyed(); + virtual void clientDestroyed(); WebKit::WebWorkerClient* client() { return client_; } diff --git a/webkit/tools/test_shell/test_web_worker.h b/webkit/tools/test_shell/test_web_worker.h index 2adcb42..2aa1a2a 100644 --- a/webkit/tools/test_shell/test_web_worker.h +++ b/webkit/tools/test_shell/test_web_worker.h @@ -42,6 +42,8 @@ class TestWebWorker : public WebKit::WebWorker, virtual void workerObjectDestroyed() { Release(); // Releases the reference held for worker object. } + virtual void clientDestroyed() { + } // WebWorkerClient methods: virtual void postMessageToWorkerObject( |