Chromium Code Reviews Chromium Code Reviews
Issue 2051053002:
Fix data race in blink::ThreadHeap::detach (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: third_party/WebKit/Source/platform/heap/Heap.cpp |
| diff --git a/third_party/WebKit/Source/platform/heap/Heap.cpp b/third_party/WebKit/Source/platform/heap/Heap.cpp |
| index c2b0bb3e801c559c2a502c06c84bede3e602c5ac..6c8e4d4d678ff5611d48092ff7636bb98f314f9c 100644 |
| --- a/third_party/WebKit/Source/platform/heap/Heap.cpp |
| +++ b/third_party/WebKit/Source/platform/heap/Heap.cpp |
| @@ -272,13 +272,14 @@ void ThreadHeap::detach(ThreadState* thread) |
| thread->runTerminationGC(); |
| ASSERT(m_threads.contains(thread)); |
| m_threads.remove(thread); |
| + |
| + // The main thread must be the last thread that gets detached. |
| + DCHECK(!thread->isMainThread() || m_threads.isEmpty()); |
|
sof
2016/06/09 09:55:09
This assert isn't accurate,
DCHECK(thread->isMai
keishi
2016/06/09 10:37:25
The main thread must be the last thread that gets
sof
2016/06/09 10:44:57
Yes, the assert as-is doesn't verify that last con
keishi
2016/06/09 11:47:34
For a per-thread-heap enabled thread:
thread->isMa
sof
2016/06/09 12:00:25
Yes, that condition captures the "owner" of the Th
|
| + if (thread->isMainThread()) |
| + DCHECK_EQ(heapStats().allocatedSpace(), 0u); |
| + if (m_threads.isEmpty()) |
| + delete this; |
|
sof
2016/06/09 10:00:46
Won't this UAF when the mutex locker stack object
keishi
2016/06/09 10:37:25
I guess you're right. Changed to destruct out of
|
| } |
| - // The main thread must be the last thread that gets detached. |
| - ASSERT(!thread->isMainThread() || m_threads.isEmpty()); |
| - if (thread->isMainThread()) |
| - DCHECK_EQ(heapStats().allocatedSpace(), 0u); |
| - if (m_threads.isEmpty()) |
| - delete this; |
| } |
| bool ThreadHeap::park() |
