Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
171943002:
Don't terminate SharedWorker while loading the script. (Closed)
DescriptionDon't terminate SharedWorker while loading the script.
This path will fix the heap-use-after-free bug.
BUG=343661, 344750
Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=252010
Patch Set 1 #
Total comments: 2
Patch Set 2 : move the position of "impl_->terminateWorkerContext();". #Messages
Total messages: 16 (0 generated)
kinuko@ Please review this CL
lgtm
The CQ bit was checked by horo@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/horo@chromium.org/171943002/1
https://codereview.chromium.org/171943002/diff/1/content/worker/websharedwork... File content/worker/websharedworker_stub.cc (right): https://codereview.chromium.org/171943002/diff/1/content/worker/websharedwork... content/worker/websharedworker_stub.cc:107: impl_->terminateWorkerContext(); It feels like we should always nullify the impl_ after calling this? Do we want to call this only when running_ is true? If we call this before WorkerScriptLoaded is called WorkerScriptLoadFailed will be called because m_askedToTerminate is set to true in WebSharedWorkerImpl... was that not the case?
The CQ bit was unchecked by horo@chromium.org
https://codereview.chromium.org/171943002/diff/1/content/worker/websharedwork... File content/worker/websharedworker_stub.cc (right): https://codereview.chromium.org/171943002/diff/1/content/worker/websharedwork... content/worker/websharedworker_stub.cc:107: impl_->terminateWorkerContext(); On 2014/02/19 04:24:08, kinuko wrote: > It feels like we should always nullify the impl_ after calling this? > > Do we want to call this only when running_ is true? > > If we call this before WorkerScriptLoaded is called WorkerScriptLoadFailed will > be called because m_askedToTerminate is set to true in WebSharedWorkerImpl... > was that not the case? The bug is caused by "delete this" in Shutdown() which may be called via WorkerScriptLoaded() in the current stack. I changed this cl to just move the position of "impl_->terminateWorkerContext();".
On 2014/02/19 05:29:09, horo wrote: > https://codereview.chromium.org/171943002/diff/1/content/worker/websharedwork... > File content/worker/websharedworker_stub.cc (right): > > https://codereview.chromium.org/171943002/diff/1/content/worker/websharedwork... > content/worker/websharedworker_stub.cc:107: impl_->terminateWorkerContext(); > On 2014/02/19 04:24:08, kinuko wrote: > > It feels like we should always nullify the impl_ after calling this? > > > > Do we want to call this only when running_ is true? > > > > If we call this before WorkerScriptLoaded is called WorkerScriptLoadFailed > will > > be called because m_askedToTerminate is set to true in WebSharedWorkerImpl... > > was that not the case? > > The bug is caused by "delete this" in Shutdown() which may be called via > WorkerScriptLoaded() in the current stack. > > I changed this cl to just move the position of > "impl_->terminateWorkerContext();". Cool, thanks for further investigation. LGTM if this passes the ASAN repro test
The CQ bit was checked by horo@chromium.org
The CQ bit was unchecked by horo@chromium.org
The CQ bit was checked by horo@chromium.org
The CQ bit was unchecked by horo@chromium.org
The CQ bit was checked by horo@chromium.org
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/horo@chromium.org/171943002/150002
Message was sent while issue was closed.
Change committed as 252010
Message was sent while issue was closed.
I forgot to change the title. This patch only changes the order of calling terminateWorkerContext() to avoid use-after-free crash. |
