summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-10-10 01:04:48 +0000
committerjam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-10-10 01:04:48 +0000
commit18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a (patch)
tree98b04a0f1e64dcdcbad7123e7dcce49d7cc93546
parentf5857bc22887f8bffe9fb3135768aa0286a927eb (diff)
downloadchromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.zip
chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.tar.gz
chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.tar.bz2
Fix another race condition on worker process shutdown that results in use-after-free. Like 23018, this is happening because valgrind is slowing the worker thread shutdown enough that the backup terminate process code executes.
BUG=24346 TEST=covered by valgrind Review URL: http://codereview.chromium.org/266036 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@28646 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r--chrome/renderer/webworker_proxy.cc3
-rw-r--r--chrome/renderer/webworker_proxy.h1
-rw-r--r--chrome/worker/nativewebworker_impl.cc3
-rw-r--r--chrome/worker/nativewebworker_impl.h1
-rw-r--r--chrome/worker/webworkerclient_proxy.cc1
-rw-r--r--tools/valgrind/memcheck/suppressions.txt34
-rw-r--r--webkit/api/public/WebWorker.h1
-rw-r--r--webkit/glue/webworker_impl.cc22
-rw-r--r--webkit/glue/webworker_impl.h1
-rw-r--r--webkit/tools/test_shell/test_web_worker.h2
10 files changed, 34 insertions, 35 deletions
diff --git a/chrome/renderer/webworker_proxy.cc b/chrome/renderer/webworker_proxy.cc
index b350470..3932d6e 100644
--- a/chrome/renderer/webworker_proxy.cc
+++ b/chrome/renderer/webworker_proxy.cc
@@ -97,6 +97,9 @@ void WebWorkerProxy::workerObjectDestroyed() {
delete this;
}
+void WebWorkerProxy::clientDestroyed() {
+}
+
bool WebWorkerProxy::Send(IPC::Message* message) {
// It's possible that postMessage is called before the worker is created, in
// which case route_id_ will be none. Or the worker object can be interacted
diff --git a/chrome/renderer/webworker_proxy.h b/chrome/renderer/webworker_proxy.h
index d47f3fb..8c53a67 100644
--- a/chrome/renderer/webworker_proxy.h
+++ b/chrome/renderer/webworker_proxy.h
@@ -38,6 +38,7 @@ class WebWorkerProxy : public WebKit::WebWorker,
const WebKit::WebString& message,
const WebKit::WebMessagePortChannelArray& channel_array);
virtual void workerObjectDestroyed();
+ virtual void clientDestroyed();
// IPC::Channel::Listener implementation.
void OnMessageReceived(const IPC::Message& message);
diff --git a/chrome/worker/nativewebworker_impl.cc b/chrome/worker/nativewebworker_impl.cc
index 1383e63..58a5c07 100644
--- a/chrome/worker/nativewebworker_impl.cc
+++ b/chrome/worker/nativewebworker_impl.cc
@@ -164,3 +164,6 @@ void NativeWebWorkerImpl::postMessageToWorkerContext(
void NativeWebWorkerImpl::workerObjectDestroyed() {
}
+
+void NativeWebWorkerImpl::clientDestroyed() {
+}
diff --git a/chrome/worker/nativewebworker_impl.h b/chrome/worker/nativewebworker_impl.h
index 29d85c9..2407136 100644
--- a/chrome/worker/nativewebworker_impl.h
+++ b/chrome/worker/nativewebworker_impl.h
@@ -31,6 +31,7 @@ class NativeWebWorkerImpl : public WebKit::WebWorker {
const WebKit::WebString& message,
const WebKit::WebMessagePortChannelArray& channels);
void workerObjectDestroyed();
+ void clientDestroyed();
private:
WebKit::WebWorkerClient* client_;
diff --git a/chrome/worker/webworkerclient_proxy.cc b/chrome/worker/webworkerclient_proxy.cc
index de31734..9fe0870 100644
--- a/chrome/worker/webworkerclient_proxy.cc
+++ b/chrome/worker/webworkerclient_proxy.cc
@@ -60,6 +60,7 @@ WebWorkerClientProxy::WebWorkerClientProxy(const GURL& url, int route_id)
}
WebWorkerClientProxy::~WebWorkerClientProxy() {
+ impl_->clientDestroyed();
WorkerThread::current()->RemoveRoute(route_id_);
ChildProcess::current()->ReleaseProcess();
}
diff --git a/tools/valgrind/memcheck/suppressions.txt b/tools/valgrind/memcheck/suppressions.txt
index 8f83c3f..7dee796 100644
--- a/tools/valgrind/memcheck/suppressions.txt
+++ b/tools/valgrind/memcheck/suppressions.txt
@@ -966,24 +966,6 @@
fun:_ZN7WebCore5Frame4initEv
}
{
- bug_23018_a
- Memcheck:Addr4
- fun:_ZN12_GLOBAL__N_115KillProcessTask3RunEv
- fun:_ZN11MessageLoop7RunTaskEP4Task
- fun:_ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE
- fun:_ZN11MessageLoop13DoDelayedWorkEPN4base4TimeE
-}
-{
- # This is the same callstack as above, but for whatever reason the signature
- # of the top line, KillProcessTask::Run(), is displayed differently.
- bug_23018_b
- Memcheck:Addr4
- fun:_ZN122_GLOBAL__N__b_slave_chromium_rel_linux_valgrind_builder_build_src_chrome_worker_webworkerclient_proxy.cc_00000000_BBD84F3C15KillProcessTask3RunEv
- fun:_ZN11MessageLoop7RunTaskEP4Task
- fun:_ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE
- fun:_ZN11MessageLoop13DoDelayedWorkEPN4base4TimeE
-}
-{
bug_23151
Memcheck:Addr4
...
@@ -1105,19 +1087,3 @@
fun:_ZN11MessageLoop11RunInternalEv
fun:_ZN11MessageLoop10RunHandlerEv
}
-{
- bug_24346
- Memcheck:Addr4
- fun:_ZN13WebWorkerImpl25ReportPendingActivityTaskEPN7WebCore22ScriptExecutionContextEPS_b
- fun:_ZN7WebCore18GenericWorkerTask2IP13WebWorkerImplS2_bbE11performTaskEPNS_22ScriptExecutionContextE
- fun:_ZN13WebWorkerImpl16InvokeTaskMethodEPv
- fun:_ZN3WTF31dispatchFunctionsFromMainThreadEv
- fun:_Z18DispatchToFunctionIPFvvEEvT_RK6Tuple0
- fun:_ZN16RunnableFunctionIPFvvE6Tuple0E3RunEv
- fun:_ZN11MessageLoop7RunTaskEP4Task
- fun:_ZN11MessageLoop21DeferOrRunPendingTaskERKNS_11PendingTaskE
- fun:_ZN11MessageLoop6DoWorkEv
- fun:_ZN4base18MessagePumpDefault3RunEPNS_11MessagePump8DelegateE
- fun:_ZN11MessageLoop11RunInternalEv
- fun:_ZN11MessageLoop10RunHandlerEv
-}
diff --git a/webkit/api/public/WebWorker.h b/webkit/api/public/WebWorker.h
index 1424161..c2f0250 100644
--- a/webkit/api/public/WebWorker.h
+++ b/webkit/api/public/WebWorker.h
@@ -53,6 +53,7 @@ namespace WebKit {
const WebString&,
const WebMessagePortChannelArray&) = 0;
virtual void workerObjectDestroyed() = 0;
+ virtual void clientDestroyed() = 0;
};
} // namespace WebKit
diff --git a/webkit/glue/webworker_impl.cc b/webkit/glue/webworker_impl.cc
index a2e70c4..18f3870 100644
--- a/webkit/glue/webworker_impl.cc
+++ b/webkit/glue/webworker_impl.cc
@@ -218,6 +218,10 @@ void WebWorkerImpl::workerObjectDestroyed() {
terminateWorkerContext();
}
+void WebWorkerImpl::clientDestroyed() {
+ client_ = NULL;
+}
+
void WebWorkerImpl::DispatchTaskToMainThread(
PassRefPtr<WebCore::ScriptExecutionContext::Task> task) {
return WTF::callOnMainThread(InvokeTaskMethod, task.releaseRef());
@@ -247,6 +251,9 @@ void WebWorkerImpl::PostMessageTask(
WebWorkerImpl* this_ptr,
WebCore::String message,
WTF::PassOwnPtr<WebCore::MessagePortChannelArray> channels) {
+ if (!this_ptr->client_)
+ return;
+
WebMessagePortChannelArray web_channels(
channels.get() ? channels->size() : 0);
for (size_t i = 0; i < web_channels.size(); ++i) {
@@ -276,6 +283,9 @@ void WebWorkerImpl::PostExceptionTask(
const WebCore::String& error_message,
int line_number,
const WebCore::String& source_url) {
+ if (!this_ptr->client_)
+ return;
+
this_ptr->client_->postExceptionToWorkerObject(
webkit_glue::StringToWebString(error_message),
line_number,
@@ -312,6 +322,9 @@ void WebWorkerImpl::PostConsoleMessageTask(
const WebCore::String& message,
int line_number,
const WebCore::String& source_url) {
+ if (!this_ptr->client_)
+ return;
+
this_ptr->client_->postConsoleMessageToWorkerObject(
destination,
source,
@@ -333,6 +346,9 @@ void WebWorkerImpl::ConfirmMessageTask(
WebCore::ScriptExecutionContext* context,
WebWorkerImpl* this_ptr,
bool has_pending_activity) {
+ if (!this_ptr->client_)
+ return;
+
this_ptr->client_->confirmMessageFromWorkerObject(has_pending_activity);
}
@@ -347,6 +363,9 @@ void WebWorkerImpl::ReportPendingActivityTask(
WebCore::ScriptExecutionContext* context,
WebWorkerImpl* this_ptr,
bool has_pending_activity) {
+ if (!this_ptr->client_)
+ return;
+
this_ptr->client_->reportPendingActivity(has_pending_activity);
}
@@ -373,7 +392,8 @@ void WebWorkerImpl::postTaskForModeToWorkerContext(
void WebWorkerImpl::WorkerContextDestroyedTask(
WebCore::ScriptExecutionContext* context,
WebWorkerImpl* this_ptr) {
- this_ptr->client_->workerContextDestroyed();
+ if (this_ptr->client_)
+ this_ptr->client_->workerContextDestroyed();
// The lifetime of this proxy is controlled by the worker context.
delete this_ptr;
diff --git a/webkit/glue/webworker_impl.h b/webkit/glue/webworker_impl.h
index 165b35d..33c7b05 100644
--- a/webkit/glue/webworker_impl.h
+++ b/webkit/glue/webworker_impl.h
@@ -68,6 +68,7 @@ class WebWorkerImpl: public WebCore::WorkerObjectProxy,
const WebKit::WebString& message,
const WebKit::WebMessagePortChannelArray& channel);
virtual void workerObjectDestroyed();
+ virtual void clientDestroyed();
WebKit::WebWorkerClient* client() { return client_; }
diff --git a/webkit/tools/test_shell/test_web_worker.h b/webkit/tools/test_shell/test_web_worker.h
index 2adcb42..2aa1a2a 100644
--- a/webkit/tools/test_shell/test_web_worker.h
+++ b/webkit/tools/test_shell/test_web_worker.h
@@ -42,6 +42,8 @@ class TestWebWorker : public WebKit::WebWorker,
virtual void workerObjectDestroyed() {
Release(); // Releases the reference held for worker object.
}
+ virtual void clientDestroyed() {
+ }
// WebWorkerClient methods:
virtual void postMessageToWorkerObject(