| Index: Source/core/workers/WorkerThread.cpp
|
| diff --git a/Source/core/workers/WorkerThread.cpp b/Source/core/workers/WorkerThread.cpp
|
| index c60511544ab3c579e55ce404dcde5ef77705a1b8..1980c686fa3a7492b3ba5e0cac186b953c1fb733 100644
|
| --- a/Source/core/workers/WorkerThread.cpp
|
| +++ b/Source/core/workers/WorkerThread.cpp
|
| @@ -139,11 +139,18 @@ void WorkerThread::workerThread()
|
| // We cannot let any objects survive past thread exit, because no other thread will run GC or otherwise destroy them.
|
| // If Oilpan is enabled, we detach of the context/global scope, with the final heap cleanup below sweeping it out.
|
| #if ENABLE(OILPAN)
|
| - m_workerGlobalScope->dispose();
|
| + // The thread object is owned by the main thread. After the call
|
| + // to dispose, the thread object can therefore be dead and the
|
| + // Persistent handle for m_workerGlobalScope has been deleted.
|
| + // Therefore, we clear the m_workerGlobalScope persistent handle
|
| + // before the call to dispose.
|
| + WorkerGlobalScope* scope = m_workerGlobalScope;
|
| + m_workerGlobalScope = nullptr;
|
| + scope->dispose();
|
| #else
|
| ASSERT(m_workerGlobalScope->hasOneRef());
|
| -#endif
|
| m_workerGlobalScope = nullptr;
|
| +#endif
|
|
|
| ThreadState::detach();
|
|
|
|
|
Chromium Code Reviews
Issue 196033004:
Oilpan: Fix worker thread termination use-after-free found by the asan build. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk