diff options
| author | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-10 01:04:48 +0000 |
|---|---|---|
| committer | jam@chromium.org <jam@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-10-10 01:04:48 +0000 |
| commit | 18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a (patch) | |
| tree | 98b04a0f1e64dcdcbad7123e7dcce49d7cc93546 /webkit | |
| parent | f5857bc22887f8bffe9fb3135768aa0286a927eb (diff) | |
| download | chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.zip chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.tar.gz chromium_src-18bdd9f5eb65b0979fe6ef610aeede9bc32b1e5a.tar.bz2 | |
Fix another race condition on worker process shutdown that results in use-after-free. Like 23018, this is happening because valgrind is slowing the worker thread shutdown enough that the backup terminate process code executes.
BUG=24346
TEST=covered by valgrind
Review URL: http://codereview.chromium.org/266036
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@28646 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
| -rw-r--r-- | webkit/api/public/WebWorker.h | 1 | ||||
| -rw-r--r-- | webkit/glue/webworker_impl.cc | 22 | ||||
| -rw-r--r-- | webkit/glue/webworker_impl.h | 1 | ||||
| -rw-r--r-- | webkit/tools/test_shell/test_web_worker.h | 2 |
4 files changed, 25 insertions, 1 deletions
diff --git a/webkit/api/public/WebWorker.h b/webkit/api/public/WebWorker.h index 1424161..c2f0250 100644 --- a/webkit/api/public/WebWorker.h +++ b/webkit/api/public/WebWorker.h @@ -53,6 +53,7 @@ namespace WebKit { const WebString&, const WebMessagePortChannelArray&) = 0; virtual void workerObjectDestroyed() = 0; + virtual void clientDestroyed() = 0; }; } // namespace WebKit diff --git a/webkit/glue/webworker_impl.cc b/webkit/glue/webworker_impl.cc index a2e70c4..18f3870 100644 --- a/webkit/glue/webworker_impl.cc +++ b/webkit/glue/webworker_impl.cc @@ -218,6 +218,10 @@ void WebWorkerImpl::workerObjectDestroyed() { terminateWorkerContext(); } +void WebWorkerImpl::clientDestroyed() { + client_ = NULL; +} + void WebWorkerImpl::DispatchTaskToMainThread( PassRefPtr<WebCore::ScriptExecutionContext::Task> task) { return WTF::callOnMainThread(InvokeTaskMethod, task.releaseRef()); @@ -247,6 +251,9 @@ void WebWorkerImpl::PostMessageTask( WebWorkerImpl* this_ptr, WebCore::String message, WTF::PassOwnPtr<WebCore::MessagePortChannelArray> channels) { + if (!this_ptr->client_) + return; + WebMessagePortChannelArray web_channels( channels.get() ? channels->size() : 0); for (size_t i = 0; i < web_channels.size(); ++i) { @@ -276,6 +283,9 @@ void WebWorkerImpl::PostExceptionTask( const WebCore::String& error_message, int line_number, const WebCore::String& source_url) { + if (!this_ptr->client_) + return; + this_ptr->client_->postExceptionToWorkerObject( webkit_glue::StringToWebString(error_message), line_number, @@ -312,6 +322,9 @@ void WebWorkerImpl::PostConsoleMessageTask( const WebCore::String& message, int line_number, const WebCore::String& source_url) { + if (!this_ptr->client_) + return; + this_ptr->client_->postConsoleMessageToWorkerObject( destination, source, @@ -333,6 +346,9 @@ void WebWorkerImpl::ConfirmMessageTask( WebCore::ScriptExecutionContext* context, WebWorkerImpl* this_ptr, bool has_pending_activity) { + if (!this_ptr->client_) + return; + this_ptr->client_->confirmMessageFromWorkerObject(has_pending_activity); } @@ -347,6 +363,9 @@ void WebWorkerImpl::ReportPendingActivityTask( WebCore::ScriptExecutionContext* context, WebWorkerImpl* this_ptr, bool has_pending_activity) { + if (!this_ptr->client_) + return; + this_ptr->client_->reportPendingActivity(has_pending_activity); } @@ -373,7 +392,8 @@ void WebWorkerImpl::postTaskForModeToWorkerContext( void WebWorkerImpl::WorkerContextDestroyedTask( WebCore::ScriptExecutionContext* context, WebWorkerImpl* this_ptr) { - this_ptr->client_->workerContextDestroyed(); + if (this_ptr->client_) + this_ptr->client_->workerContextDestroyed(); // The lifetime of this proxy is controlled by the worker context. delete this_ptr; diff --git a/webkit/glue/webworker_impl.h b/webkit/glue/webworker_impl.h index 165b35d..33c7b05 100644 --- a/webkit/glue/webworker_impl.h +++ b/webkit/glue/webworker_impl.h @@ -68,6 +68,7 @@ class WebWorkerImpl: public WebCore::WorkerObjectProxy, const WebKit::WebString& message, const WebKit::WebMessagePortChannelArray& channel); virtual void workerObjectDestroyed(); + virtual void clientDestroyed(); WebKit::WebWorkerClient* client() { return client_; } diff --git a/webkit/tools/test_shell/test_web_worker.h b/webkit/tools/test_shell/test_web_worker.h index 2adcb42..2aa1a2a 100644 --- a/webkit/tools/test_shell/test_web_worker.h +++ b/webkit/tools/test_shell/test_web_worker.h @@ -42,6 +42,8 @@ class TestWebWorker : public WebKit::WebWorker, virtual void workerObjectDestroyed() { Release(); // Releases the reference held for worker object. } + virtual void clientDestroyed() { + } // WebWorkerClient methods: virtual void postMessageToWorkerObject( |