Chromium Code Reviews Chromium Code Reviews
Issue 1068743002:
Fix two race conditions in ImageDecoder. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/image_decoder.h" | 5 #include "chrome/browser/image_decoder.h" |
| 6 | 6 |
| 7 #include <set> | |
| 8 | |
| 7 #include "base/bind.h" | 9 #include "base/bind.h" |
| 8 #include "chrome/browser/browser_process.h" | 10 #include "chrome/browser/browser_process.h" |
| 9 #include "chrome/common/chrome_utility_messages.h" | 11 #include "chrome/common/chrome_utility_messages.h" |
| 10 #include "content/public/browser/browser_thread.h" | 12 #include "content/public/browser/browser_thread.h" |
| 11 #include "content/public/browser/utility_process_host.h" | 13 #include "content/public/browser/utility_process_host.h" |
| 12 | 14 |
| 13 using content::BrowserThread; | 15 using content::BrowserThread; |
| 14 using content::UtilityProcessHost; | 16 using content::UtilityProcessHost; |
| 15 | 17 |
| 16 namespace { | 18 namespace { |
| 17 | 19 |
| 18 // static, Leaky to allow access from any thread. | 20 // static, Leaky to allow access from any thread. |
| 19 base::LazyInstance<ImageDecoder>::Leaky g_decoder = LAZY_INSTANCE_INITIALIZER; | 21 base::LazyInstance<ImageDecoder>::Leaky g_decoder = LAZY_INSTANCE_INITIALIZER; |
| 20 | 22 |
| 21 // How long to wait after the last request has been received before ending | 23 // How long to wait after the last request has been received before ending |
| 22 // batch mode. | 24 // batch mode. |
| 23 const int kBatchModeTimeoutSeconds = 5; | 25 const int kBatchModeTimeoutSeconds = 5; |
| 24 | 26 |
| 25 } // namespace | 27 } // namespace |
| 26 | 28 |
| 29 class ImageDecoder::Job : public base::RefCountedThreadSafe<ImageDecoder::Job> { | |
| 30 public: | |
| 31 explicit Job(ImageDecoder::ImageRequest* request); | |
| 32 | |
| 33 void Cancel(); | |
| 34 void NotifyDecodeSucceeded(const SkBitmap& decoded_image); | |
| 35 void NotifyDecodeFailed(); | |
| 36 | |
| 37 ImageDecoder::ImageRequest* image_request() const { return request_; } | |
| 38 | |
| 39 private: | |
| 40 friend class base::RefCountedThreadSafe<ImageDecoder::Job>; | |
| 41 ~Job() = default; | |
| 42 | |
| 43 // Runs on the requests's task runner. | |
|
Theresa
2015/04/13 18:19:30
nit: sed/requests's/request's
Anand Mistry (off Chromium)
2015/04/14 00:52:13
Done.
| |
| 44 void OnSuccess(const SkBitmap& decoded_image); | |
| 45 void OnFailed(); | |
| 46 | |
| 47 void RemoveTask(); | |
| 48 | |
| 49 // Must only be dereferenced while |is_cancelled_| == false. | |
| 50 ImageDecoder::ImageRequest* const request_; | |
| 51 | |
| 52 base::Lock lock_; | |
| 53 bool is_cancelled_; | |
| 54 }; | |
| 55 | |
| 56 ImageDecoder::Job::Job(ImageDecoder::ImageRequest* request) | |
| 57 : request_(request), is_cancelled_(false) { | |
| 58 } | |
| 59 | |
| 60 void ImageDecoder::Job::Cancel() { | |
| 61 { | |
| 62 base::AutoLock lock(lock_); | |
| 63 is_cancelled_ = true; | |
| 64 } | |
| 65 g_decoder.Pointer()->RemoveJob(this); | |
| 66 } | |
| 67 | |
| 68 void ImageDecoder::Job::NotifyDecodeSucceeded(const SkBitmap& decoded_image) { | |
| 69 base::AutoLock lock(lock_); | |
| 70 if (is_cancelled_) | |
| 71 return; | |
| 72 | |
| 73 request_->task_runner()->PostTask( | |
| 74 FROM_HERE, | |
| 75 base::Bind(&ImageDecoder::Job::OnSuccess, this, decoded_image)); | |
|
Theresa
2015/04/13 18:19:30
Why are NotifyDecodeSucceeded and OnSuccess both n
Anand Mistry (off Chromium)
2015/04/14 00:52:13
This is race condition #2. If you post ImageReques
Theresa
2015/04/14 01:20:47
Acknowledged.
| |
| 76 } | |
| 77 | |
| 78 void ImageDecoder::Job::NotifyDecodeFailed() { | |
| 79 base::AutoLock lock(lock_); | |
| 80 if (is_cancelled_) | |
| 81 return; | |
| 82 | |
| 83 request_->task_runner()->PostTask( | |
| 84 FROM_HERE, base::Bind(&ImageDecoder::Job::OnFailed, this)); | |
| 85 } | |
| 86 | |
| 87 void ImageDecoder::Job::OnSuccess(const SkBitmap& decoded_image) { | |
| 88 base::AutoLock lock(lock_); | |
| 89 if (is_cancelled_) | |
| 90 return; | |
| 91 | |
| 92 DCHECK(request_->task_runner()->RunsTasksOnCurrentThread()); | |
| 93 g_decoder.Pointer()->RemoveJob(this); | |
| 94 request_->OnImageDecoded(decoded_image); | |
| 95 } | |
| 96 | |
| 97 void ImageDecoder::Job::OnFailed() { | |
| 98 base::AutoLock lock(lock_); | |
| 99 if (is_cancelled_) | |
| 100 return; | |
| 101 | |
| 102 DCHECK(request_->task_runner()->RunsTasksOnCurrentThread()); | |
| 103 g_decoder.Pointer()->RemoveJob(this); | |
| 104 request_->OnDecodeImageFailed(); | |
| 105 } | |
| 106 | |
| 27 ImageDecoder::ImageDecoder() | 107 ImageDecoder::ImageDecoder() |
| 28 : image_request_id_counter_(0), last_request_(base::TimeTicks::Now()) { | 108 : image_request_id_counter_(0), last_request_(base::TimeTicks::Now()) { |
| 29 // A single ImageDecoder instance should live for the life of the program. | 109 // A single ImageDecoder instance should live for the life of the program. |
| 30 // Explicitly add a reference so the object isn't deleted. | 110 // Explicitly add a reference so the object isn't deleted. |
| 31 AddRef(); | 111 AddRef(); |
| 32 } | 112 } |
| 33 | 113 |
| 34 ImageDecoder::~ImageDecoder() { | 114 ImageDecoder::~ImageDecoder() { |
| 35 } | 115 } |
| 36 | 116 |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 47 void ImageDecoder::Start(ImageRequest* image_request, | 127 void ImageDecoder::Start(ImageRequest* image_request, |
| 48 const std::string& image_data) { | 128 const std::string& image_data) { |
| 49 StartWithOptions(image_request, image_data, DEFAULT_CODEC, false); | 129 StartWithOptions(image_request, image_data, DEFAULT_CODEC, false); |
| 50 } | 130 } |
| 51 | 131 |
| 52 // static | 132 // static |
| 53 void ImageDecoder::StartWithOptions(ImageRequest* image_request, | 133 void ImageDecoder::StartWithOptions(ImageRequest* image_request, |
| 54 const std::string& image_data, | 134 const std::string& image_data, |
| 55 ImageCodec image_codec, | 135 ImageCodec image_codec, |
| 56 bool shrink_to_fit) { | 136 bool shrink_to_fit) { |
| 137 g_decoder.Pointer()->StartWithOptionsImpl(image_request, image_data, | |
| 138 image_codec, shrink_to_fit); | |
| 139 } | |
| 140 | |
| 141 void ImageDecoder::StartWithOptionsImpl(ImageRequest* image_request, | |
| 142 const std::string& image_data, | |
| 143 ImageCodec image_codec, | |
| 144 bool shrink_to_fit) { | |
| 57 DCHECK(image_request); | 145 DCHECK(image_request); |
| 58 DCHECK(image_request->task_runner()); | 146 DCHECK(image_request->task_runner()); |
| 147 | |
| 148 scoped_refptr<Job> job(new Job(image_request)); | |
| 149 int request_id; | |
| 150 { | |
| 151 base::AutoLock lock(map_lock_); | |
| 152 request_id = image_request_id_counter_++; | |
| 153 image_request_id_map_.insert(std::make_pair(request_id, job)); | |
| 154 } | |
| 59 BrowserThread::PostTask( | 155 BrowserThread::PostTask( |
| 60 BrowserThread::IO, FROM_HERE, | 156 BrowserThread::IO, FROM_HERE, |
| 61 base::Bind( | 157 base::Bind( |
| 62 &ImageDecoder::DecodeImageInSandbox, | 158 &ImageDecoder::DecodeImageInSandbox, this, request_id, |
| 63 g_decoder.Pointer(), image_request, | |
| 64 std::vector<unsigned char>(image_data.begin(), image_data.end()), | 159 std::vector<unsigned char>(image_data.begin(), image_data.end()), |
| 65 image_codec, shrink_to_fit)); | 160 image_codec, shrink_to_fit)); |
| 66 } | 161 } |
| 67 | 162 |
| 68 // static | 163 // static |
| 69 void ImageDecoder::Cancel(ImageRequest* image_request) { | 164 void ImageDecoder::Cancel(ImageRequest* image_request) { |
| 70 DCHECK(image_request); | 165 DCHECK(image_request); |
| 71 g_decoder.Pointer()->CancelImpl(image_request); | 166 g_decoder.Pointer()->CancelImpl(image_request); |
| 72 } | 167 } |
| 73 | 168 |
| 74 void ImageDecoder::DecodeImageInSandbox( | 169 void ImageDecoder::DecodeImageInSandbox( |
| 75 ImageRequest* image_request, | 170 int request_id, |
| 76 const std::vector<unsigned char>& image_data, | 171 const std::vector<unsigned char>& image_data, |
| 77 ImageCodec image_codec, | 172 ImageCodec image_codec, |
| 78 bool shrink_to_fit) { | 173 bool shrink_to_fit) { |
| 79 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 174 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 80 if (!utility_process_host_) { | 175 if (!utility_process_host_) { |
| 81 StartBatchMode(); | 176 StartBatchMode(); |
| 82 } | 177 } |
| 83 if (!utility_process_host_) { | 178 if (!utility_process_host_) { |
| 84 // Utility process failed to start; notify delegate and return. | 179 // Utility process failed to start; notify delegate and return. |
| 85 // Without this check, we were seeing crashes on startup. Further | 180 // Without this check, we were seeing crashes on startup. Further |
| 86 // investigation is needed to determine why the utility process | 181 // investigation is needed to determine why the utility process |
| 87 // is failing to start. See crbug.com/472272 | 182 // is failing to start. See crbug.com/472272 |
| 88 image_request->task_runner()->PostTask( | 183 OnDecodeImageFailed(request_id); |
| 89 FROM_HERE, base::Bind(&ImageRequest::OnDecodeImageFailed, | |
| 90 base::Unretained(image_request))); | |
| 91 return; | 184 return; |
| 92 } | 185 } |
| 93 | 186 |
| 94 last_request_ = base::TimeTicks::Now(); | 187 last_request_ = base::TimeTicks::Now(); |
| 95 base::AutoLock lock(map_lock_); | |
| 96 image_request_id_map_.insert( | |
| 97 std::make_pair(image_request_id_counter_, image_request)); | |
| 98 | 188 |
| 99 switch (image_codec) { | 189 switch (image_codec) { |
| 100 case ROBUST_JPEG_CODEC: | 190 case ROBUST_JPEG_CODEC: |
| 101 utility_process_host_->Send(new ChromeUtilityMsg_RobustJPEGDecodeImage( | 191 utility_process_host_->Send( |
| 102 image_data, image_request_id_counter_)); | 192 new ChromeUtilityMsg_RobustJPEGDecodeImage(image_data, request_id)); |
| 103 break; | 193 break; |
| 104 case DEFAULT_CODEC: | 194 case DEFAULT_CODEC: |
| 105 utility_process_host_->Send(new ChromeUtilityMsg_DecodeImage( | 195 utility_process_host_->Send(new ChromeUtilityMsg_DecodeImage( |
| 106 image_data, shrink_to_fit, image_request_id_counter_)); | 196 image_data, shrink_to_fit, request_id)); |
| 107 break; | 197 break; |
| 108 } | 198 } |
| 109 | |
| 110 ++image_request_id_counter_; | |
| 111 } | 199 } |
| 112 | 200 |
| 113 void ImageDecoder::CancelImpl(ImageRequest* image_request) { | 201 void ImageDecoder::CancelImpl(ImageRequest* image_request) { |
| 114 base::AutoLock lock(map_lock_); | 202 std::set<scoped_refptr<Job>> jobs; |
| 115 for (auto it = image_request_id_map_.begin(); | 203 |
| 116 it != image_request_id_map_.end();) { | 204 { |
| 117 if (it->second == image_request) { | 205 base::AutoLock lock(map_lock_); |
| 118 image_request_id_map_.erase(it++); | 206 for (const auto& request : image_request_id_map_) { |
| 119 } else { | 207 if (request.second->image_request() == image_request) { |
| 120 ++it; | 208 jobs.insert(request.second); |
| 209 // Don't erase the job from the map here, but let Job::Cancel do it | |
| 210 // instead. This is mainly to maintain consistency with how decode | |
| 211 // success/fail are handled. | |
| 212 } | |
| 121 } | 213 } |
| 122 } | 214 } |
| 215 | |
| 216 // Will block if |OnImageDecoded| or |OnDecodeImageFailed| is running. | |
| 217 for (auto& job : jobs) | |
| 218 job->Cancel(); | |
| 123 } | 219 } |
| 124 | 220 |
| 125 void ImageDecoder::StartBatchMode() { | 221 void ImageDecoder::StartBatchMode() { |
| 126 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 222 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 127 utility_process_host_ = | 223 utility_process_host_ = |
| 128 UtilityProcessHost::Create(this, base::MessageLoopProxy::current().get()) | 224 UtilityProcessHost::Create(this, base::MessageLoopProxy::current().get()) |
| 129 ->AsWeakPtr(); | 225 ->AsWeakPtr(); |
| 130 if (!utility_process_host_->StartBatchMode()) { | 226 if (!utility_process_host_->StartBatchMode()) { |
| 131 utility_process_host_.reset(); | 227 utility_process_host_.reset(); |
| 132 return; | 228 return; |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 160 OnDecodeImageFailed) | 256 OnDecodeImageFailed) |
| 161 IPC_MESSAGE_UNHANDLED(handled = false) | 257 IPC_MESSAGE_UNHANDLED(handled = false) |
| 162 IPC_END_MESSAGE_MAP() | 258 IPC_END_MESSAGE_MAP() |
| 163 return handled; | 259 return handled; |
| 164 } | 260 } |
| 165 | 261 |
| 166 void ImageDecoder::OnDecodeImageSucceeded( | 262 void ImageDecoder::OnDecodeImageSucceeded( |
| 167 const SkBitmap& decoded_image, | 263 const SkBitmap& decoded_image, |
| 168 int request_id) { | 264 int request_id) { |
| 169 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 265 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 170 base::AutoLock lock(map_lock_); | |
| 171 auto it = image_request_id_map_.find(request_id); | |
| 172 if (it != image_request_id_map_.end()) { | |
| 173 ImageRequest* image_request = it->second; | |
| 174 image_request->task_runner()->PostTask( | |
| 175 FROM_HERE, base::Bind(&ImageRequest::OnImageDecoded, | |
| 176 base::Unretained(image_request), decoded_image)); | |
| 177 | 266 |
| 178 image_request_id_map_.erase(it); | 267 scoped_refptr<Job> job; |
| 268 { | |
| 269 base::AutoLock lock(map_lock_); | |
| 270 auto it = image_request_id_map_.find(request_id); | |
| 271 if (it != image_request_id_map_.end()) { | |
| 272 job = it->second; | |
| 273 // NOTE: The job isn't removed from the map because it can still be | |
| 274 // cancelled. | |
| 275 } | |
| 179 } | 276 } |
| 277 // Call Job's functions outside |map_lock_| to avoid a potential deadlock with | |
| 278 // |Job.lock_|. | |
| 279 if (job) | |
| 280 job->NotifyDecodeSucceeded(decoded_image); | |
| 180 } | 281 } |
| 181 | 282 |
| 182 void ImageDecoder::OnDecodeImageFailed(int request_id) { | 283 void ImageDecoder::OnDecodeImageFailed(int request_id) { |
| 183 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 284 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 285 | |
| 286 scoped_refptr<Job> job; | |
| 287 { | |
| 288 base::AutoLock lock(map_lock_); | |
| 289 auto it = image_request_id_map_.find(request_id); | |
| 290 if (it != image_request_id_map_.end()) { | |
| 291 job = it->second; | |
| 292 } | |
| 293 } | |
| 294 if (job) | |
| 295 job->NotifyDecodeFailed(); | |
| 296 } | |
| 297 | |
| 298 void ImageDecoder::RemoveJob(const scoped_refptr<Job>& job) { | |
| 184 base::AutoLock lock(map_lock_); | 299 base::AutoLock lock(map_lock_); |
| 185 auto it = image_request_id_map_.find(request_id); | 300 for (auto it = image_request_id_map_.begin(); |
| 186 if (it != image_request_id_map_.end()) { | 301 it != image_request_id_map_.end();) { |
| 187 ImageRequest* image_request = it->second; | 302 if (it->second == job) { |
| 188 image_request->task_runner()->PostTask( | 303 image_request_id_map_.erase(it++); |
|
Theresa
2015/04/13 18:19:30
nit: does it++ need to be incremented here since t
Anand Mistry (off Chromium)
2015/04/14 00:52:13
Done.
| |
| 189 FROM_HERE, base::Bind(&ImageRequest::OnDecodeImageFailed, | 304 break; |
| 190 base::Unretained(image_request))); | 305 } else { |
| 191 | 306 ++it; |
| 192 image_request_id_map_.erase(it); | 307 } |
| 193 } | 308 } |
| 194 } | 309 } |
| OLD | NEW |
