|
|
Chromium Code Reviews|
Created:
4 years, 5 months ago by tzik Modified:
4 years, 5 months ago CC:
chromium-reviews, sof, eae+blinkwatch, blink-reviews-dom_chromium.org, dglazkov+blink, blink-reviews, rwlbuis Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionDelay client registration of MessagePort to MessagePortChannel
MessagePort used to be registered to MessagePortChannel on entangle(),
and be unregisted when the ExecutionContext is stopped or MessagePort
is swept by GC. Once its start() is called, its hasPendingActivity()
will be true and that extends the MessagePort lifetime to stop() or close() call.
However, there's a time gap between the MessagePort instance is marked
as unreachable, and swept by GC system. If MessagePortChannel accesses
the MessagePort in this period, that causes use-after-poison crash.
I.e. there are two pattern of the life of MessagePort.
1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister
2. entangle() + register -> start() -> stop() + unregister
3. entangle() + register -> start() -> close() + unregister
(2) and (3) cases are OK, while (1) has a dangerous period.
This CL delays the registration from entangle() to start(), so that
the case (1) doesn't register the MessagePort to MessagePortChannel at all.
BUG=627457
Committed: https://crrev.com/f7dbf39be31d8aa9214d5d84da613508d4e06491
Cr-Commit-Position: refs/heads/master@{#405450}
Patch Set 1 #
Total comments: 2
Patch Set 2 : s/close()/DCHECK/ #Messages
Total messages: 18 (10 generated)
tzik@chromium.org changed reviewers: + haraken@chromium.org, yhirano@chromium.org
PTAL
LGTM
lgtm description: there is one another path to close the message port: close function exposed to MessagePort.idl. https://codereview.chromium.org/2143003003/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/dom/MessagePort.cpp (right): https://codereview.chromium.org/2143003003/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/dom/MessagePort.cpp:65: close(); DCHECK(!started() || !isEntangled()) is better than calling close, I think.
Description was changed from ========== Delay client registration of MessagePort to MessagePortChannel MessagePort used to be registered to MessagePortChannel on entangle(), and be unregisted when the ExecutionContext is stopped or MessagePort is swept by GC. Once its start() is called, its hasPendingActivity() will be true and that extends the MessagePort lifetime to stop() call. However, there's a time gap between the MessagePort instance is marked as unreachable, and swept by GC system. If MessagePortChannel accesses the MessagePort in this period, that causes use-after-poison crash. I.e. there are two pattern of the life of MessagePort. 1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister 2. entangle() + register -> start() -> stop() + unregister (2) case is OK, while (1) has a dangerous period. This CL delays the registration from entangle() to start(), so that the case (1) doesn't register the MessagePort to MessagePortChannel at all. BUG=627457 ========== to ========== Delay client registration of MessagePort to MessagePortChannel MessagePort used to be registered to MessagePortChannel on entangle(), and be unregisted when the ExecutionContext is stopped or MessagePort is swept by GC. Once its start() is called, its hasPendingActivity() will be true and that extends the MessagePort lifetime to stop() or close() call. However, there's a time gap between the MessagePort instance is marked as unreachable, and swept by GC system. If MessagePortChannel accesses the MessagePort in this period, that causes use-after-poison crash. I.e. there are two pattern of the life of MessagePort. 1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister 2. entangle() + register -> start() -> stop() + unregister 3. entangle() + register -> start() -> close() + unregister (2) and (3) cases are OK, while (1) has a dangerous period. This CL delays the registration from entangle() to start(), so that the case (1) doesn't register the MessagePort to MessagePortChannel at all. BUG=627457 ==========
The CQ bit was checked by tzik@chromium.org to run a CQ dry run
https://codereview.chromium.org/2143003003/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/dom/MessagePort.cpp (right): https://codereview.chromium.org/2143003003/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/dom/MessagePort.cpp:65: close(); On 2016/07/14 04:30:22, yhirano wrote: > DCHECK(!started() || !isEntangled()) is better than calling close, I think. Done.
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: win_chromium_x64_rel_ng on master.tryserver.chromium.win (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.win/builders/win_chromium_x64_...)
The CQ bit was checked by tzik@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from haraken@chromium.org, yhirano@chromium.org Link to the patchset: https://codereview.chromium.org/2143003003/#ps20001 (title: "s/close()/DCHECK/")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Description was changed from ========== Delay client registration of MessagePort to MessagePortChannel MessagePort used to be registered to MessagePortChannel on entangle(), and be unregisted when the ExecutionContext is stopped or MessagePort is swept by GC. Once its start() is called, its hasPendingActivity() will be true and that extends the MessagePort lifetime to stop() or close() call. However, there's a time gap between the MessagePort instance is marked as unreachable, and swept by GC system. If MessagePortChannel accesses the MessagePort in this period, that causes use-after-poison crash. I.e. there are two pattern of the life of MessagePort. 1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister 2. entangle() + register -> start() -> stop() + unregister 3. entangle() + register -> start() -> close() + unregister (2) and (3) cases are OK, while (1) has a dangerous period. This CL delays the registration from entangle() to start(), so that the case (1) doesn't register the MessagePort to MessagePortChannel at all. BUG=627457 ========== to ========== Delay client registration of MessagePort to MessagePortChannel MessagePort used to be registered to MessagePortChannel on entangle(), and be unregisted when the ExecutionContext is stopped or MessagePort is swept by GC. Once its start() is called, its hasPendingActivity() will be true and that extends the MessagePort lifetime to stop() or close() call. However, there's a time gap between the MessagePort instance is marked as unreachable, and swept by GC system. If MessagePortChannel accesses the MessagePort in this period, that causes use-after-poison crash. I.e. there are two pattern of the life of MessagePort. 1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister 2. entangle() + register -> start() -> stop() + unregister 3. entangle() + register -> start() -> close() + unregister (2) and (3) cases are OK, while (1) has a dangerous period. This CL delays the registration from entangle() to start(), so that the case (1) doesn't register the MessagePort to MessagePortChannel at all. BUG=627457 ==========
Message was sent while issue was closed.
Committed patchset #2 (id:20001)
Message was sent while issue was closed.
CQ bit was unchecked.
Message was sent while issue was closed.
Description was changed from ========== Delay client registration of MessagePort to MessagePortChannel MessagePort used to be registered to MessagePortChannel on entangle(), and be unregisted when the ExecutionContext is stopped or MessagePort is swept by GC. Once its start() is called, its hasPendingActivity() will be true and that extends the MessagePort lifetime to stop() or close() call. However, there's a time gap between the MessagePort instance is marked as unreachable, and swept by GC system. If MessagePortChannel accesses the MessagePort in this period, that causes use-after-poison crash. I.e. there are two pattern of the life of MessagePort. 1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister 2. entangle() + register -> start() -> stop() + unregister 3. entangle() + register -> start() -> close() + unregister (2) and (3) cases are OK, while (1) has a dangerous period. This CL delays the registration from entangle() to start(), so that the case (1) doesn't register the MessagePort to MessagePortChannel at all. BUG=627457 ========== to ========== Delay client registration of MessagePort to MessagePortChannel MessagePort used to be registered to MessagePortChannel on entangle(), and be unregisted when the ExecutionContext is stopped or MessagePort is swept by GC. Once its start() is called, its hasPendingActivity() will be true and that extends the MessagePort lifetime to stop() or close() call. However, there's a time gap between the MessagePort instance is marked as unreachable, and swept by GC system. If MessagePortChannel accesses the MessagePort in this period, that causes use-after-poison crash. I.e. there are two pattern of the life of MessagePort. 1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister 2. entangle() + register -> start() -> stop() + unregister 3. entangle() + register -> start() -> close() + unregister (2) and (3) cases are OK, while (1) has a dangerous period. This CL delays the registration from entangle() to start(), so that the case (1) doesn't register the MessagePort to MessagePortChannel at all. BUG=627457 Committed: https://crrev.com/f7dbf39be31d8aa9214d5d84da613508d4e06491 Cr-Commit-Position: refs/heads/master@{#405450} ==========
Message was sent while issue was closed.
Patchset 2 (id:??) landed as https://crrev.com/f7dbf39be31d8aa9214d5d84da613508d4e06491 Cr-Commit-Position: refs/heads/master@{#405450} |
