Issue 13023: Found a bug in the BaseTimer (used by OneShotTimer)....

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Issue 13023: Found a bug in the BaseTimer (used by OneShotTimer).... (Closed)

Created:
12 years ago by Mike Belshe

Modified:
9 years, 5 months ago

Reviewers:
Nicolas Sylvain, darin (slow to review), jar (doing other things)

CC:
chromium-reviews_googlegroups.com

Base URL:
svn://chrome-svn/chrome/trunk/src/

Visibility:
Public.

Description

Found a bug in the BaseTimer (used by OneShotTimer). If you have a OneShotTimer pending, and you destroy your message loop, the cleanup of the timer will use memory which was already freed by the MessageLoop. When the MessageLoop shuts down, it deletes pending tasks. BaseTimer did not provide a virtual destructor to cleanup its "base". Thus, when the actual OneShotTimer cleaned up, it would use deleted memory. This manifested for me when I had accidentally had cleanup of a oneshottimer occurring through the Singleton, which occurs AtExit, after the messageloop is already gone. Created a unit test for this, which does trip the assert due to heap corruption. Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=6190

Patch Set 1 #

Created: 12 years ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+48 lines, -6 lines)			Patch
	M	base/timer.h	View		1 chunk	+27 lines, -6 lines	1 comment	Download
	M	base/timer_unittest.cc	View		1 chunk	+21 lines, -0 lines	0 comments	Download

Messages

Total messages: 5 (0 generated)

Expand Messages | Collapse Messages

darin (slow to review)

12 years ago (2008-12-02 01:37:22 UTC) #5

LGTM

http://codereview.chromium.org/13023/diff/1/3
File base/timer.h (right):

http://codereview.chromium.org/13023/diff/1/3#newcode139
Line 139: virtual ~TimerTask() {
It is nice that delayed Tasks have the guarantee of being destroyed if not Run. 
We should work to make the same thing be true for non-delayed Tasks.

It would be good to add a comment about the significance of this ClearBaseTimer
call w.r.t. MessageLoop destruction.

Expand Messages | Collapse Messages