Shutdown renderer main message loop before blink::shutdown()

Shutdown renderer main message loop before blink::shutdown()

blink::Persistent requires all instances to be destroyed before ThreadState
shutdown, which happens in blink::shutdown(). However, some blink::Persistent
are held by MessageLoop as bound arguments. That causes renderer crash on the
destructor of blink::Persistent.

This CL moves MessageLoop shutdown before blink::Platform::shutdown, so that
message loop doesn't hold any task on ThreadState shutdown.

BUG=627004

[tzik, 2016-07-19 08:35:23]

The CQ bit was checked by tzik@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-19 08:35:45]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-19 11:51:11]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-19 11:51:12]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[tzik, 2016-07-19 11:59:14]

Description was changed from

==========
Shutdown renderer main message loop before blink::shutdown()

BUG=
==========

to

==========
Shutdown renderer main message loop before blink::shutdown()

blink::Persistent requires all instances to be destroyed before ThreadState
shutdown, which happens in blink::shutdown(). However, some blink::Persistent
are held by MessageLoop as bound arguments. That causes renderer crash on the
destructor of blink::Persistent.

This CL moves MessageLoop shutdown before blink::shutdown, so that message
loop doesn't hold any task on ThreadState shutdown.

BUG=
==========

[tzik, 2016-07-19 12:31:12]

Description was changed from

==========
Shutdown renderer main message loop before blink::shutdown()

blink::Persistent requires all instances to be destroyed before ThreadState
shutdown, which happens in blink::shutdown(). However, some blink::Persistent
are held by MessageLoop as bound arguments. That causes renderer crash on the
destructor of blink::Persistent.

This CL moves MessageLoop shutdown before blink::shutdown, so that message
loop doesn't hold any task on ThreadState shutdown.

BUG=
==========

to

==========
Shutdown renderer main message loop before blink::shutdown()

blink::Persistent requires all instances to be destroyed before ThreadState
shutdown, which happens in blink::shutdown(). However, some blink::Persistent
are held by MessageLoop as bound arguments. That causes renderer crash on the
destructor of blink::Persistent.

This CL moves MessageLoop shutdown before blink::shutdown, so that message
loop doesn't hold any task on ThreadState shutdown.

BUG=627004
==========

[tzik, 2016-07-19 12:32:21]

tzik@chromium.org changed reviewers:
+ esprehn@chromium.org, haraken@chromium.org

[tzik, 2016-07-19 12:32:22]

PTAL

[esprehn, 2016-07-19 16:42:54]

https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
File content/renderer/render_thread_impl.cc (left):

https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
content/renderer/render_thread_impl.cc:996: // to the browser process.
You're doing the opposite of what the comment says we have to do now, why is
that correct? You now destroy the message loop before the discardable memory
manager shuts down which means the IPCs won't make it out.

[tzik, 2016-07-19 17:26:32]

The CQ bit was checked by tzik@chromium.org to run a CQ dry run

[tzik, 2016-07-19 17:26:52]

https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
File content/renderer/render_thread_impl.cc (left):

https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
content/renderer/render_thread_impl.cc:996: // to the browser process.
On 2016/07/19 16:42:54, esprehn wrote:
> You're doing the opposite of what the comment says we have to do now, why is
> that correct? You now destroy the message loop before the discardable memory
> manager shuts down which means the IPCs won't make it out.

The comment looks inaccurate to me.
ChildDiscardableSharedMemoryManager spins the message loop only for a sync IPC
for allocation, and doesn't use it for shutdown.
Though it uses the main thread task runner to check if the current thread is the
main thread, the message loop itself is not needed for it.

[commit-bot: I haz the power, 2016-07-19 17:27:24]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-07-19 18:15:07]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-19 18:15:08]

Dry run: This issue passed the CQ dry run.

[haraken, 2016-07-20 08:34:34]

On 2016/07/19 17:26:52, tzik wrote:
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> File content/renderer/render_thread_impl.cc (left):
> 
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> content/renderer/render_thread_impl.cc:996: // to the browser process.
> On 2016/07/19 16:42:54, esprehn wrote:
> > You're doing the opposite of what the comment says we have to do now, why is
> > that correct? You now destroy the message loop before the discardable memory
> > manager shuts down which means the IPCs won't make it out.
> 
> The comment looks inaccurate to me.
> ChildDiscardableSharedMemoryManager spins the message loop only for a sync IPC
> for allocation, and doesn't use it for shutdown.
> Though it uses the main thread task runner to check if the current thread is
the
> main thread, the message loop itself is not needed for it.

I think the comment is still valid. The following scenario can happen:

1) blink::shutdown
2) Resource's destructor gets called
3) It unlocks itself from DiscardableMemory. This can issue IPC. The message
loop is needed.

[haraken, 2016-07-20 08:35:36]

On 2016/07/20 08:34:34, haraken wrote:
> On 2016/07/19 17:26:52, tzik wrote:
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > File content/renderer/render_thread_impl.cc (left):
> > 
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > content/renderer/render_thread_impl.cc:996: // to the browser process.
> > On 2016/07/19 16:42:54, esprehn wrote:
> > > You're doing the opposite of what the comment says we have to do now, why
is
> > > that correct? You now destroy the message loop before the discardable
memory
> > > manager shuts down which means the IPCs won't make it out.
> > 
> > The comment looks inaccurate to me.
> > ChildDiscardableSharedMemoryManager spins the message loop only for a sync
IPC
> > for allocation, and doesn't use it for shutdown.
> > Though it uses the main thread task runner to check if the current thread is
> the
> > main thread, the message loop itself is not needed for it.
> 
> I think the comment is still valid. The following scenario can happen:
> 
> 1) blink::shutdown
> 2) Resource's destructor gets called
> 3) It unlocks itself from DiscardableMemory. This can issue IPC. The message
> loop is needed.

Can you try to process all the remaining contents in the message loop before
calling blink::shutdown, instead of shutting down the message loop?

[tzik, 2016-07-20 09:25:24]

The CQ bit was checked by tzik@chromium.org to run a CQ dry run

[tzik, 2016-07-20 09:25:25]

On 2016/07/20 08:34:34, haraken wrote:
> On 2016/07/19 17:26:52, tzik wrote:
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > File content/renderer/render_thread_impl.cc (left):
> > 
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > content/renderer/render_thread_impl.cc:996: // to the browser process.
> > On 2016/07/19 16:42:54, esprehn wrote:
> > > You're doing the opposite of what the comment says we have to do now, why
is
> > > that correct? You now destroy the message loop before the discardable
memory
> > > manager shuts down which means the IPCs won't make it out.
> > 
> > The comment looks inaccurate to me.
> > ChildDiscardableSharedMemoryManager spins the message loop only for a sync
IPC
> > for allocation, and doesn't use it for shutdown.
> > Though it uses the main thread task runner to check if the current thread is
> the
> > main thread, the message loop itself is not needed for it.
> 
> I think the comment is still valid. The following scenario can happen:
> 
> 1) blink::shutdown
> 2) Resource's destructor gets called
> 3) It unlocks itself from DiscardableMemory. This can issue IPC. The message
> loop is needed.

Ah, that's true though it sounds weird to me.
ShutdownDiscardableSharedMemoryManager probably doesn't need the message loop,
but other part of Blink does.
So, can we split Platform::shutdown() from blink::shutdown(), and move the
message loop shutdown between them?

[commit-bot: I haz the power, 2016-07-20 09:25:44]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[tzik, 2016-07-20 09:26:37]

On 2016/07/20 08:35:36, haraken wrote:
> On 2016/07/20 08:34:34, haraken wrote:
> > On 2016/07/19 17:26:52, tzik wrote:
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > File content/renderer/render_thread_impl.cc (left):
> > > 
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > content/renderer/render_thread_impl.cc:996: // to the browser process.
> > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > You're doing the opposite of what the comment says we have to do now,
why
> is
> > > > that correct? You now destroy the message loop before the discardable
> memory
> > > > manager shuts down which means the IPCs won't make it out.
> > > 
> > > The comment looks inaccurate to me.
> > > ChildDiscardableSharedMemoryManager spins the message loop only for a sync
> IPC
> > > for allocation, and doesn't use it for shutdown.
> > > Though it uses the main thread task runner to check if the current thread
is
> > the
> > > main thread, the message loop itself is not needed for it.
> > 
> > I think the comment is still valid. The following scenario can happen:
> > 
> > 1) blink::shutdown
> > 2) Resource's destructor gets called
> > 3) It unlocks itself from DiscardableMemory. This can issue IPC. The message
> > loop is needed.
> 
> Can you try to process all the remaining contents in the message loop before
> calling blink::shutdown, instead of shutting down the message loop?

It's already done as base::RunLoop().RunUntilIdle();.

[commit-bot: I haz the power, 2016-07-20 09:52:28]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 09:52:29]

Dry run: Try jobs failed on following builders:
  cast_shell_linux on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/cast_shell_linu...)

[tzik, 2016-07-20 10:08:46]

The CQ bit was checked by tzik@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-07-20 10:09:10]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[haraken, 2016-07-20 10:19:23]

On 2016/07/20 09:25:25, tzik wrote:
> On 2016/07/20 08:34:34, haraken wrote:
> > On 2016/07/19 17:26:52, tzik wrote:
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > File content/renderer/render_thread_impl.cc (left):
> > > 
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > content/renderer/render_thread_impl.cc:996: // to the browser process.
> > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > You're doing the opposite of what the comment says we have to do now,
why
> is
> > > > that correct? You now destroy the message loop before the discardable
> memory
> > > > manager shuts down which means the IPCs won't make it out.
> > > 
> > > The comment looks inaccurate to me.
> > > ChildDiscardableSharedMemoryManager spins the message loop only for a sync
> IPC
> > > for allocation, and doesn't use it for shutdown.
> > > Though it uses the main thread task runner to check if the current thread
is
> > the
> > > main thread, the message loop itself is not needed for it.
> > 
> > I think the comment is still valid. The following scenario can happen:
> > 
> > 1) blink::shutdown
> > 2) Resource's destructor gets called
> > 3) It unlocks itself from DiscardableMemory. This can issue IPC. The message
> > loop is needed.
> 
> Ah, that's true though it sounds weird to me.
> ShutdownDiscardableSharedMemoryManager probably doesn't need the message loop,
> but other part of Blink does.

Oh, I noticed that we already removed code that calls unlock() in Resource's
destructor. Then the issue should be gone.

See https://codereview.chromium.org/1647443002/ for more details.

> So, can we split Platform::shutdown() from blink::shutdown(), and move the
> message loop shutdown between them?

That is doable but sounds a bit nasty to me.

>> Can you try to process all the remaining contents in the message loop before
>> calling blink::shutdown, instead of shutting down the message loop?
>
> It's already done as base::RunLoop().RunUntilIdle();.

Then why do we still have the issue (i.e., how is it possible that the message
loop holds tasks that retain Persistent handles when blink::shutdown gets
called)?

[tzik, 2016-07-20 10:50:22]

On 2016/07/20 10:19:23, haraken wrote:
> On 2016/07/20 09:25:25, tzik wrote:
> > On 2016/07/20 08:34:34, haraken wrote:
> > > On 2016/07/19 17:26:52, tzik wrote:
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > File content/renderer/render_thread_impl.cc (left):
> > > > 
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > content/renderer/render_thread_impl.cc:996: // to the browser process.
> > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > You're doing the opposite of what the comment says we have to do now,
> why
> > is
> > > > > that correct? You now destroy the message loop before the discardable
> > memory
> > > > > manager shuts down which means the IPCs won't make it out.
> > > > 
> > > > The comment looks inaccurate to me.
> > > > ChildDiscardableSharedMemoryManager spins the message loop only for a
sync
> > IPC
> > > > for allocation, and doesn't use it for shutdown.
> > > > Though it uses the main thread task runner to check if the current
thread
> is
> > > the
> > > > main thread, the message loop itself is not needed for it.
> > > 
> > > I think the comment is still valid. The following scenario can happen:
> > > 
> > > 1) blink::shutdown
> > > 2) Resource's destructor gets called
> > > 3) It unlocks itself from DiscardableMemory. This can issue IPC. The
message
> > > loop is needed.
> > 
> > Ah, that's true though it sounds weird to me.
> > ShutdownDiscardableSharedMemoryManager probably doesn't need the message
loop,
> > but other part of Blink does.
> 
> Oh, I noticed that we already removed code that calls unlock() in Resource's
> destructor. Then the issue should be gone.
> 
> See https://codereview.chromium.org/1647443002/ for more details.

Since Resource::allClientsAndObserversRemoved() calls Resource::unlock(), a
destructor of some client class may causes Resource::unlock().

> 
> > So, can we split Platform::shutdown() from blink::shutdown(), and move the
> > message loop shutdown between them?
> 
> That is doable but sounds a bit nasty to me.
> 
> >> Can you try to process all the remaining contents in the message loop
before
> >> calling blink::shutdown, instead of shutting down the message loop?
> >
> > It's already done as base::RunLoop().RunUntilIdle();.
> 
> Then why do we still have the issue (i.e., how is it possible that the message
> loop holds tasks that retain Persistent handles when blink::shutdown gets
> called)?

It's probably in delayed queue in the message queue, posted by destructors, or
posted from other threads, e.g. IO thread.

[haraken, 2016-07-20 10:56:47]

On 2016/07/20 10:50:22, tzik wrote:
> On 2016/07/20 10:19:23, haraken wrote:
> > On 2016/07/20 09:25:25, tzik wrote:
> > > On 2016/07/20 08:34:34, haraken wrote:
> > > > On 2016/07/19 17:26:52, tzik wrote:
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > File content/renderer/render_thread_impl.cc (left):
> > > > > 
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > content/renderer/render_thread_impl.cc:996: // to the browser process.
> > > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > > You're doing the opposite of what the comment says we have to do
now,
> > why
> > > is
> > > > > > that correct? You now destroy the message loop before the
discardable
> > > memory
> > > > > > manager shuts down which means the IPCs won't make it out.
> > > > > 
> > > > > The comment looks inaccurate to me.
> > > > > ChildDiscardableSharedMemoryManager spins the message loop only for a
> sync
> > > IPC
> > > > > for allocation, and doesn't use it for shutdown.
> > > > > Though it uses the main thread task runner to check if the current
> thread
> > is
> > > > the
> > > > > main thread, the message loop itself is not needed for it.
> > > > 
> > > > I think the comment is still valid. The following scenario can happen:
> > > > 
> > > > 1) blink::shutdown
> > > > 2) Resource's destructor gets called
> > > > 3) It unlocks itself from DiscardableMemory. This can issue IPC. The
> message
> > > > loop is needed.
> > > 
> > > Ah, that's true though it sounds weird to me.
> > > ShutdownDiscardableSharedMemoryManager probably doesn't need the message
> loop,
> > > but other part of Blink does.
> > 
> > Oh, I noticed that we already removed code that calls unlock() in Resource's
> > destructor. Then the issue should be gone.
> > 
> > See https://codereview.chromium.org/1647443002/ for more details.
> 
> Since Resource::allClientsAndObserversRemoved() calls Resource::unlock(), a
> destructor of some client class may causes Resource::unlock().
> 
> > 
> > > So, can we split Platform::shutdown() from blink::shutdown(), and move the
> > > message loop shutdown between them?
> > 
> > That is doable but sounds a bit nasty to me.
> > 
> > >> Can you try to process all the remaining contents in the message loop
> before
> > >> calling blink::shutdown, instead of shutting down the message loop?
> > >
> > > It's already done as base::RunLoop().RunUntilIdle();.
> > 
> > Then why do we still have the issue (i.e., how is it possible that the
message
> > loop holds tasks that retain Persistent handles when blink::shutdown gets
> > called)?
> 
> It's probably in delayed queue in the message queue, posted by destructors, or
> posted from other threads, e.g. IO thread.

Would you help me understand what Persistent handles you're talking about?

Conceptually all non-main-thread Persistent handles must be explicitly cleared
before content/ calls blink::shutdown. It looks weird that some destructor
implicitly posts a task during blink::shutdown and creates new Persistent
handles.

[commit-bot: I haz the power, 2016-07-20 11:25:24]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-07-20 11:25:25]

Dry run: Try jobs failed on following builders:
  linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[tzik, 2016-07-20 12:04:33]

On 2016/07/20 10:56:47, haraken wrote:
> On 2016/07/20 10:50:22, tzik wrote:
> > On 2016/07/20 10:19:23, haraken wrote:
> > > On 2016/07/20 09:25:25, tzik wrote:
> > > > On 2016/07/20 08:34:34, haraken wrote:
> > > > > On 2016/07/19 17:26:52, tzik wrote:
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > File content/renderer/render_thread_impl.cc (left):
> > > > > > 
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > content/renderer/render_thread_impl.cc:996: // to the browser
process.
> > > > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > > > You're doing the opposite of what the comment says we have to do
> now,
> > > why
> > > > is
> > > > > > > that correct? You now destroy the message loop before the
> discardable
> > > > memory
> > > > > > > manager shuts down which means the IPCs won't make it out.
> > > > > > 
> > > > > > The comment looks inaccurate to me.
> > > > > > ChildDiscardableSharedMemoryManager spins the message loop only for
a
> > sync
> > > > IPC
> > > > > > for allocation, and doesn't use it for shutdown.
> > > > > > Though it uses the main thread task runner to check if the current
> > thread
> > > is
> > > > > the
> > > > > > main thread, the message loop itself is not needed for it.
> > > > > 
> > > > > I think the comment is still valid. The following scenario can happen:
> > > > > 
> > > > > 1) blink::shutdown
> > > > > 2) Resource's destructor gets called
> > > > > 3) It unlocks itself from DiscardableMemory. This can issue IPC. The
> > message
> > > > > loop is needed.
> > > > 
> > > > Ah, that's true though it sounds weird to me.
> > > > ShutdownDiscardableSharedMemoryManager probably doesn't need the message
> > loop,
> > > > but other part of Blink does.
> > > 
> > > Oh, I noticed that we already removed code that calls unlock() in
Resource's
> > > destructor. Then the issue should be gone.
> > > 
> > > See https://codereview.chromium.org/1647443002/ for more details.
> > 
> > Since Resource::allClientsAndObserversRemoved() calls Resource::unlock(), a
> > destructor of some client class may causes Resource::unlock().
> > 
> > > 
> > > > So, can we split Platform::shutdown() from blink::shutdown(), and move
the
> > > > message loop shutdown between them?
> > > 
> > > That is doable but sounds a bit nasty to me.
> > > 
> > > >> Can you try to process all the remaining contents in the message loop
> > before
> > > >> calling blink::shutdown, instead of shutting down the message loop?
> > > >
> > > > It's already done as base::RunLoop().RunUntilIdle();.
> > > 
> > > Then why do we still have the issue (i.e., how is it possible that the
> message
> > > loop holds tasks that retain Persistent handles when blink::shutdown gets
> > > called)?
> > 
> > It's probably in delayed queue in the message queue, posted by destructors,
or
> > posted from other threads, e.g. IO thread.
> 
> Would you help me understand what Persistent handles you're talking about?

I don't have the concrete case for Persistent, here is a rerated example for
WeakPersistent case:
https://cluster-fuzz.appspot.com/testcase?key=6417573642240000, a destruction
observer of the message loop touches a callback that has WeakPersistent.

> 
> Conceptually all non-main-thread Persistent handles must be explicitly cleared
> before content/ calls blink::shutdown. It looks weird that some destructor
> implicitly posts a task during blink::shutdown and creates new Persistent
> handles.

[haraken, 2016-07-20 13:44:41]

On 2016/07/20 12:04:33, tzik wrote:
> On 2016/07/20 10:56:47, haraken wrote:
> > On 2016/07/20 10:50:22, tzik wrote:
> > > On 2016/07/20 10:19:23, haraken wrote:
> > > > On 2016/07/20 09:25:25, tzik wrote:
> > > > > On 2016/07/20 08:34:34, haraken wrote:
> > > > > > On 2016/07/19 17:26:52, tzik wrote:
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > File content/renderer/render_thread_impl.cc (left):
> > > > > > > 
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > content/renderer/render_thread_impl.cc:996: // to the browser
> process.
> > > > > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > > > > You're doing the opposite of what the comment says we have to do
> > now,
> > > > why
> > > > > is
> > > > > > > > that correct? You now destroy the message loop before the
> > discardable
> > > > > memory
> > > > > > > > manager shuts down which means the IPCs won't make it out.
> > > > > > > 
> > > > > > > The comment looks inaccurate to me.
> > > > > > > ChildDiscardableSharedMemoryManager spins the message loop only
for
> a
> > > sync
> > > > > IPC
> > > > > > > for allocation, and doesn't use it for shutdown.
> > > > > > > Though it uses the main thread task runner to check if the current
> > > thread
> > > > is
> > > > > > the
> > > > > > > main thread, the message loop itself is not needed for it.
> > > > > > 
> > > > > > I think the comment is still valid. The following scenario can
happen:
> > > > > > 
> > > > > > 1) blink::shutdown
> > > > > > 2) Resource's destructor gets called
> > > > > > 3) It unlocks itself from DiscardableMemory. This can issue IPC. The
> > > message
> > > > > > loop is needed.
> > > > > 
> > > > > Ah, that's true though it sounds weird to me.
> > > > > ShutdownDiscardableSharedMemoryManager probably doesn't need the
message
> > > loop,
> > > > > but other part of Blink does.
> > > > 
> > > > Oh, I noticed that we already removed code that calls unlock() in
> Resource's
> > > > destructor. Then the issue should be gone.
> > > > 
> > > > See https://codereview.chromium.org/1647443002/ for more details.
> > > 
> > > Since Resource::allClientsAndObserversRemoved() calls Resource::unlock(),
a
> > > destructor of some client class may causes Resource::unlock().
> > > 
> > > > 
> > > > > So, can we split Platform::shutdown() from blink::shutdown(), and move
> the
> > > > > message loop shutdown between them?
> > > > 
> > > > That is doable but sounds a bit nasty to me.
> > > > 
> > > > >> Can you try to process all the remaining contents in the message loop
> > > before
> > > > >> calling blink::shutdown, instead of shutting down the message loop?
> > > > >
> > > > > It's already done as base::RunLoop().RunUntilIdle();.
> > > > 
> > > > Then why do we still have the issue (i.e., how is it possible that the
> > message
> > > > loop holds tasks that retain Persistent handles when blink::shutdown
gets
> > > > called)?
> > > 
> > > It's probably in delayed queue in the message queue, posted by
destructors,
> or
> > > posted from other threads, e.g. IO thread.
> > 
> > Would you help me understand what Persistent handles you're talking about?
> 
> I don't have the concrete case for Persistent, here is a rerated example for
> WeakPersistent case:
> https://cluster-fuzz.appspot.com/testcase?key=6417573642240000, a destruction
> observer of the message loop touches a callback that has WeakPersistent.

Who posts the task to the message loop? Is it posted after content/ calls
base::RunLoop().RunUntilIdle()?

[tzik, 2016-07-20 14:27:04]

On 2016/07/20 13:44:41, haraken wrote:
> On 2016/07/20 12:04:33, tzik wrote:
> > On 2016/07/20 10:56:47, haraken wrote:
> > > On 2016/07/20 10:50:22, tzik wrote:
> > > > On 2016/07/20 10:19:23, haraken wrote:
> > > > > On 2016/07/20 09:25:25, tzik wrote:
> > > > > > On 2016/07/20 08:34:34, haraken wrote:
> > > > > > > On 2016/07/19 17:26:52, tzik wrote:
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > File content/renderer/render_thread_impl.cc (left):
> > > > > > > > 
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > content/renderer/render_thread_impl.cc:996: // to the browser
> > process.
> > > > > > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > > > > > You're doing the opposite of what the comment says we have to
do
> > > now,
> > > > > why
> > > > > > is
> > > > > > > > > that correct? You now destroy the message loop before the
> > > discardable
> > > > > > memory
> > > > > > > > > manager shuts down which means the IPCs won't make it out.
> > > > > > > > 
> > > > > > > > The comment looks inaccurate to me.
> > > > > > > > ChildDiscardableSharedMemoryManager spins the message loop only
> for
> > a
> > > > sync
> > > > > > IPC
> > > > > > > > for allocation, and doesn't use it for shutdown.
> > > > > > > > Though it uses the main thread task runner to check if the
current
> > > > thread
> > > > > is
> > > > > > > the
> > > > > > > > main thread, the message loop itself is not needed for it.
> > > > > > > 
> > > > > > > I think the comment is still valid. The following scenario can
> happen:
> > > > > > > 
> > > > > > > 1) blink::shutdown
> > > > > > > 2) Resource's destructor gets called
> > > > > > > 3) It unlocks itself from DiscardableMemory. This can issue IPC.
The
> > > > message
> > > > > > > loop is needed.
> > > > > > 
> > > > > > Ah, that's true though it sounds weird to me.
> > > > > > ShutdownDiscardableSharedMemoryManager probably doesn't need the
> message
> > > > loop,
> > > > > > but other part of Blink does.
> > > > > 
> > > > > Oh, I noticed that we already removed code that calls unlock() in
> > Resource's
> > > > > destructor. Then the issue should be gone.
> > > > > 
> > > > > See https://codereview.chromium.org/1647443002/ for more details.
> > > > 
> > > > Since Resource::allClientsAndObserversRemoved() calls
Resource::unlock(),
> a
> > > > destructor of some client class may causes Resource::unlock().
> > > > 
> > > > > 
> > > > > > So, can we split Platform::shutdown() from blink::shutdown(), and
move
> > the
> > > > > > message loop shutdown between them?
> > > > > 
> > > > > That is doable but sounds a bit nasty to me.
> > > > > 
> > > > > >> Can you try to process all the remaining contents in the message
loop
> > > > before
> > > > > >> calling blink::shutdown, instead of shutting down the message loop?
> > > > > >
> > > > > > It's already done as base::RunLoop().RunUntilIdle();.
> > > > > 
> > > > > Then why do we still have the issue (i.e., how is it possible that the
> > > message
> > > > > loop holds tasks that retain Persistent handles when blink::shutdown
> gets
> > > > > called)?
> > > > 
> > > > It's probably in delayed queue in the message queue, posted by
> destructors,
> > or
> > > > posted from other threads, e.g. IO thread.
> > > 
> > > Would you help me understand what Persistent handles you're talking about?
> > 
> > I don't have the concrete case for Persistent, here is a rerated example for
> > WeakPersistent case:
> > https://cluster-fuzz.appspot.com/testcase?key=6417573642240000, a
destruction
> > observer of the message loop touches a callback that has WeakPersistent.
> 
> Who posts the task to the message loop? Is it posted after content/ calls
> base::RunLoop().RunUntilIdle()?

On that case, no one posted it. It just touches a WeakPersistent after the
MessageLoop shutdown.
Another case below is a potential failcase:
https://cluster-fuzz.appspot.com/testcase?key=4572050421448704

RTCCertificateGeneratorRequest posts a task with
blink::WebRTCCertificateCallback to a worker thread, and posts back another task
to the main thread.
This task chain passes a WebRTCCertificateObserver that contains a
Persistent<ScriptPromiseResolver>, and the final PostTask can be done after the
base::RunLoop().RunUntilIdle() call.
https://cs.chromium.org/chromium/src/content/renderer/media/rtc_certificate_g...

[haraken, 2016-07-20 16:33:36]

On 2016/07/20 14:27:04, tzik wrote:
> On 2016/07/20 13:44:41, haraken wrote:
> > On 2016/07/20 12:04:33, tzik wrote:
> > > On 2016/07/20 10:56:47, haraken wrote:
> > > > On 2016/07/20 10:50:22, tzik wrote:
> > > > > On 2016/07/20 10:19:23, haraken wrote:
> > > > > > On 2016/07/20 09:25:25, tzik wrote:
> > > > > > > On 2016/07/20 08:34:34, haraken wrote:
> > > > > > > > On 2016/07/19 17:26:52, tzik wrote:
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > > File content/renderer/render_thread_impl.cc (left):
> > > > > > > > > 
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > > content/renderer/render_thread_impl.cc:996: // to the browser
> > > process.
> > > > > > > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > > > > > > You're doing the opposite of what the comment says we have
to
> do
> > > > now,
> > > > > > why
> > > > > > > is
> > > > > > > > > > that correct? You now destroy the message loop before the
> > > > discardable
> > > > > > > memory
> > > > > > > > > > manager shuts down which means the IPCs won't make it out.
> > > > > > > > > 
> > > > > > > > > The comment looks inaccurate to me.
> > > > > > > > > ChildDiscardableSharedMemoryManager spins the message loop
only
> > for
> > > a
> > > > > sync
> > > > > > > IPC
> > > > > > > > > for allocation, and doesn't use it for shutdown.
> > > > > > > > > Though it uses the main thread task runner to check if the
> current
> > > > > thread
> > > > > > is
> > > > > > > > the
> > > > > > > > > main thread, the message loop itself is not needed for it.
> > > > > > > > 
> > > > > > > > I think the comment is still valid. The following scenario can
> > happen:
> > > > > > > > 
> > > > > > > > 1) blink::shutdown
> > > > > > > > 2) Resource's destructor gets called
> > > > > > > > 3) It unlocks itself from DiscardableMemory. This can issue IPC.
> The
> > > > > message
> > > > > > > > loop is needed.
> > > > > > > 
> > > > > > > Ah, that's true though it sounds weird to me.
> > > > > > > ShutdownDiscardableSharedMemoryManager probably doesn't need the
> > message
> > > > > loop,
> > > > > > > but other part of Blink does.
> > > > > > 
> > > > > > Oh, I noticed that we already removed code that calls unlock() in
> > > Resource's
> > > > > > destructor. Then the issue should be gone.
> > > > > > 
> > > > > > See https://codereview.chromium.org/1647443002/ for more details.
> > > > > 
> > > > > Since Resource::allClientsAndObserversRemoved() calls
> Resource::unlock(),
> > a
> > > > > destructor of some client class may causes Resource::unlock().
> > > > > 
> > > > > > 
> > > > > > > So, can we split Platform::shutdown() from blink::shutdown(), and
> move
> > > the
> > > > > > > message loop shutdown between them?
> > > > > > 
> > > > > > That is doable but sounds a bit nasty to me.
> > > > > > 
> > > > > > >> Can you try to process all the remaining contents in the message
> loop
> > > > > before
> > > > > > >> calling blink::shutdown, instead of shutting down the message
loop?
> > > > > > >
> > > > > > > It's already done as base::RunLoop().RunUntilIdle();.
> > > > > > 
> > > > > > Then why do we still have the issue (i.e., how is it possible that
the
> > > > message
> > > > > > loop holds tasks that retain Persistent handles when blink::shutdown
> > gets
> > > > > > called)?
> > > > > 
> > > > > It's probably in delayed queue in the message queue, posted by
> > destructors,
> > > or
> > > > > posted from other threads, e.g. IO thread.
> > > > 
> > > > Would you help me understand what Persistent handles you're talking
about?
> > > 
> > > I don't have the concrete case for Persistent, here is a rerated example
for
> > > WeakPersistent case:
> > > https://cluster-fuzz.appspot.com/testcase?key=6417573642240000, a
> destruction
> > > observer of the message loop touches a callback that has WeakPersistent.
> > 
> > Who posts the task to the message loop? Is it posted after content/ calls
> > base::RunLoop().RunUntilIdle()?
> 
> On that case, no one posted it. It just touches a WeakPersistent after the
> MessageLoop shutdown.
> Another case below is a potential failcase:
> https://cluster-fuzz.appspot.com/testcase?key=4572050421448704
> 
> RTCCertificateGeneratorRequest posts a task with
> blink::WebRTCCertificateCallback to a worker thread, and posts back another
task
> to the main thread.
> This task chain passes a WebRTCCertificateObserver that contains a
> Persistent<ScriptPromiseResolver>, and the final PostTask can be done after
the
> base::RunLoop().RunUntilIdle() call.
>
https://cs.chromium.org/chromium/src/content/renderer/media/rtc_certificate_g...

It looks weird that RTCCertificateGeneratorRequest is working (i.e., posting a
task) while content/ is shutting down Blink. Can we stop
RTCCertificateGeneratorRequest before content/ starts the shutdown sequence?

My point is that content/ should stop anything that may access Blink before
calling blink::shutdown. We should follow the rule here.

[tzik, 2016-07-20 18:01:55]

On 2016/07/20 16:33:36, haraken wrote:
> On 2016/07/20 14:27:04, tzik wrote:
> > On 2016/07/20 13:44:41, haraken wrote:
> > > On 2016/07/20 12:04:33, tzik wrote:
> > > > On 2016/07/20 10:56:47, haraken wrote:
> > > > > On 2016/07/20 10:50:22, tzik wrote:
> > > > > > On 2016/07/20 10:19:23, haraken wrote:
> > > > > > > On 2016/07/20 09:25:25, tzik wrote:
> > > > > > > > On 2016/07/20 08:34:34, haraken wrote:
> > > > > > > > > On 2016/07/19 17:26:52, tzik wrote:
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > > > File content/renderer/render_thread_impl.cc (left):
> > > > > > > > > > 
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > > > content/renderer/render_thread_impl.cc:996: // to the
browser
> > > > process.
> > > > > > > > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > > > > > > > You're doing the opposite of what the comment says we have
> to
> > do
> > > > > now,
> > > > > > > why
> > > > > > > > is
> > > > > > > > > > > that correct? You now destroy the message loop before the
> > > > > discardable
> > > > > > > > memory
> > > > > > > > > > > manager shuts down which means the IPCs won't make it out.
> > > > > > > > > > 
> > > > > > > > > > The comment looks inaccurate to me.
> > > > > > > > > > ChildDiscardableSharedMemoryManager spins the message loop
> only
> > > for
> > > > a
> > > > > > sync
> > > > > > > > IPC
> > > > > > > > > > for allocation, and doesn't use it for shutdown.
> > > > > > > > > > Though it uses the main thread task runner to check if the
> > current
> > > > > > thread
> > > > > > > is
> > > > > > > > > the
> > > > > > > > > > main thread, the message loop itself is not needed for it.
> > > > > > > > > 
> > > > > > > > > I think the comment is still valid. The following scenario can
> > > happen:
> > > > > > > > > 
> > > > > > > > > 1) blink::shutdown
> > > > > > > > > 2) Resource's destructor gets called
> > > > > > > > > 3) It unlocks itself from DiscardableMemory. This can issue
IPC.
> > The
> > > > > > message
> > > > > > > > > loop is needed.
> > > > > > > > 
> > > > > > > > Ah, that's true though it sounds weird to me.
> > > > > > > > ShutdownDiscardableSharedMemoryManager probably doesn't need the
> > > message
> > > > > > loop,
> > > > > > > > but other part of Blink does.
> > > > > > > 
> > > > > > > Oh, I noticed that we already removed code that calls unlock() in
> > > > Resource's
> > > > > > > destructor. Then the issue should be gone.
> > > > > > > 
> > > > > > > See https://codereview.chromium.org/1647443002/ for more details.
> > > > > > 
> > > > > > Since Resource::allClientsAndObserversRemoved() calls
> > Resource::unlock(),
> > > a
> > > > > > destructor of some client class may causes Resource::unlock().
> > > > > > 
> > > > > > > 
> > > > > > > > So, can we split Platform::shutdown() from blink::shutdown(),
and
> > move
> > > > the
> > > > > > > > message loop shutdown between them?
> > > > > > > 
> > > > > > > That is doable but sounds a bit nasty to me.
> > > > > > > 
> > > > > > > >> Can you try to process all the remaining contents in the
message
> > loop
> > > > > > before
> > > > > > > >> calling blink::shutdown, instead of shutting down the message
> loop?
> > > > > > > >
> > > > > > > > It's already done as base::RunLoop().RunUntilIdle();.
> > > > > > > 
> > > > > > > Then why do we still have the issue (i.e., how is it possible that
> the
> > > > > message
> > > > > > > loop holds tasks that retain Persistent handles when
blink::shutdown
> > > gets
> > > > > > > called)?
> > > > > > 
> > > > > > It's probably in delayed queue in the message queue, posted by
> > > destructors,
> > > > or
> > > > > > posted from other threads, e.g. IO thread.
> > > > > 
> > > > > Would you help me understand what Persistent handles you're talking
> about?
> > > > 
> > > > I don't have the concrete case for Persistent, here is a rerated example
> for
> > > > WeakPersistent case:
> > > > https://cluster-fuzz.appspot.com/testcase?key=6417573642240000, a
> > destruction
> > > > observer of the message loop touches a callback that has WeakPersistent.
> > > 
> > > Who posts the task to the message loop? Is it posted after content/ calls
> > > base::RunLoop().RunUntilIdle()?
> > 
> > On that case, no one posted it. It just touches a WeakPersistent after the
> > MessageLoop shutdown.
> > Another case below is a potential failcase:
> > https://cluster-fuzz.appspot.com/testcase?key=4572050421448704
> > 
> > RTCCertificateGeneratorRequest posts a task with
> > blink::WebRTCCertificateCallback to a worker thread, and posts back another
> task
> > to the main thread.
> > This task chain passes a WebRTCCertificateObserver that contains a
> > Persistent<ScriptPromiseResolver>, and the final PostTask can be done after
> the
> > base::RunLoop().RunUntilIdle() call.
> >
>
https://cs.chromium.org/chromium/src/content/renderer/media/rtc_certificate_g...
> 
> It looks weird that RTCCertificateGeneratorRequest is working (i.e., posting a
> task) while content/ is shutting down Blink. Can we stop
> RTCCertificateGeneratorRequest before content/ starts the shutdown sequence?
> 
> My point is that content/ should stop anything that may access Blink before
> calling blink::shutdown. We should follow the rule here.

Does that include destroying a Persistent<>? That requires major surgery, and
looks hard to enforce.
That implies we have to forbid to Bind any Persistent and any object that may
contain Persintent into a Callback, since we don't have no way to clear posted
task.

[haraken, 2016-07-20 18:17:50]

On 2016/07/20 18:01:55, tzik wrote:
> On 2016/07/20 16:33:36, haraken wrote:
> > On 2016/07/20 14:27:04, tzik wrote:
> > > On 2016/07/20 13:44:41, haraken wrote:
> > > > On 2016/07/20 12:04:33, tzik wrote:
> > > > > On 2016/07/20 10:56:47, haraken wrote:
> > > > > > On 2016/07/20 10:50:22, tzik wrote:
> > > > > > > On 2016/07/20 10:19:23, haraken wrote:
> > > > > > > > On 2016/07/20 09:25:25, tzik wrote:
> > > > > > > > > On 2016/07/20 08:34:34, haraken wrote:
> > > > > > > > > > On 2016/07/19 17:26:52, tzik wrote:
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > > > > File content/renderer/render_thread_impl.cc (left):
> > > > > > > > > > > 
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
https://codereview.chromium.org/2159123002/diff/1/content/renderer/render_thr...
> > > > > > > > > > > content/renderer/render_thread_impl.cc:996: // to the
> browser
> > > > > process.
> > > > > > > > > > > On 2016/07/19 16:42:54, esprehn wrote:
> > > > > > > > > > > > You're doing the opposite of what the comment says we
have
> > to
> > > do
> > > > > > now,
> > > > > > > > why
> > > > > > > > > is
> > > > > > > > > > > > that correct? You now destroy the message loop before
the
> > > > > > discardable
> > > > > > > > > memory
> > > > > > > > > > > > manager shuts down which means the IPCs won't make it
out.
> > > > > > > > > > > 
> > > > > > > > > > > The comment looks inaccurate to me.
> > > > > > > > > > > ChildDiscardableSharedMemoryManager spins the message loop
> > only
> > > > for
> > > > > a
> > > > > > > sync
> > > > > > > > > IPC
> > > > > > > > > > > for allocation, and doesn't use it for shutdown.
> > > > > > > > > > > Though it uses the main thread task runner to check if the
> > > current
> > > > > > > thread
> > > > > > > > is
> > > > > > > > > > the
> > > > > > > > > > > main thread, the message loop itself is not needed for it.
> > > > > > > > > > 
> > > > > > > > > > I think the comment is still valid. The following scenario
can
> > > > happen:
> > > > > > > > > > 
> > > > > > > > > > 1) blink::shutdown
> > > > > > > > > > 2) Resource's destructor gets called
> > > > > > > > > > 3) It unlocks itself from DiscardableMemory. This can issue
> IPC.
> > > The
> > > > > > > message
> > > > > > > > > > loop is needed.
> > > > > > > > > 
> > > > > > > > > Ah, that's true though it sounds weird to me.
> > > > > > > > > ShutdownDiscardableSharedMemoryManager probably doesn't need
the
> > > > message
> > > > > > > loop,
> > > > > > > > > but other part of Blink does.
> > > > > > > > 
> > > > > > > > Oh, I noticed that we already removed code that calls unlock()
in
> > > > > Resource's
> > > > > > > > destructor. Then the issue should be gone.
> > > > > > > > 
> > > > > > > > See https://codereview.chromium.org/1647443002/ for more
details.
> > > > > > > 
> > > > > > > Since Resource::allClientsAndObserversRemoved() calls
> > > Resource::unlock(),
> > > > a
> > > > > > > destructor of some client class may causes Resource::unlock().
> > > > > > > 
> > > > > > > > 
> > > > > > > > > So, can we split Platform::shutdown() from blink::shutdown(),
> and
> > > move
> > > > > the
> > > > > > > > > message loop shutdown between them?
> > > > > > > > 
> > > > > > > > That is doable but sounds a bit nasty to me.
> > > > > > > > 
> > > > > > > > >> Can you try to process all the remaining contents in the
> message
> > > loop
> > > > > > > before
> > > > > > > > >> calling blink::shutdown, instead of shutting down the message
> > loop?
> > > > > > > > >
> > > > > > > > > It's already done as base::RunLoop().RunUntilIdle();.
> > > > > > > > 
> > > > > > > > Then why do we still have the issue (i.e., how is it possible
that
> > the
> > > > > > message
> > > > > > > > loop holds tasks that retain Persistent handles when
> blink::shutdown
> > > > gets
> > > > > > > > called)?
> > > > > > > 
> > > > > > > It's probably in delayed queue in the message queue, posted by
> > > > destructors,
> > > > > or
> > > > > > > posted from other threads, e.g. IO thread.
> > > > > > 
> > > > > > Would you help me understand what Persistent handles you're talking
> > about?
> > > > > 
> > > > > I don't have the concrete case for Persistent, here is a rerated
example
> > for
> > > > > WeakPersistent case:
> > > > > https://cluster-fuzz.appspot.com/testcase?key=6417573642240000, a
> > > destruction
> > > > > observer of the message loop touches a callback that has
WeakPersistent.
> > > > 
> > > > Who posts the task to the message loop? Is it posted after content/
calls
> > > > base::RunLoop().RunUntilIdle()?
> > > 
> > > On that case, no one posted it. It just touches a WeakPersistent after the
> > > MessageLoop shutdown.
> > > Another case below is a potential failcase:
> > > https://cluster-fuzz.appspot.com/testcase?key=4572050421448704
> > > 
> > > RTCCertificateGeneratorRequest posts a task with
> > > blink::WebRTCCertificateCallback to a worker thread, and posts back
another
> > task
> > > to the main thread.
> > > This task chain passes a WebRTCCertificateObserver that contains a
> > > Persistent<ScriptPromiseResolver>, and the final PostTask can be done
after
> > the
> > > base::RunLoop().RunUntilIdle() call.
> > >
> >
>
https://cs.chromium.org/chromium/src/content/renderer/media/rtc_certificate_g...
> > 
> > It looks weird that RTCCertificateGeneratorRequest is working (i.e., posting
a
> > task) while content/ is shutting down Blink. Can we stop
> > RTCCertificateGeneratorRequest before content/ starts the shutdown sequence?
> > 
> > My point is that content/ should stop anything that may access Blink before
> > calling blink::shutdown. We should follow the rule here.
> 
> Does that include destroying a Persistent<>? That requires major surgery, and
> looks hard to enforce.

We have enforced it so far. content/ should be responsible for clearing any
client pointers (to Blink), shut down Blink things etc before calling
blink::shutdown().

> That implies we have to forbid to Bind any Persistent and any object that may
> contain Persintent into a Callback, since we don't have no way to clear posted
> task.

So my question is why content/ cannot make sure that there is no callback
running before calling blink::shutdown().

Remember that this is not a problem limited to message loops. If you shut down
Blink without stopping RTCCertificateGeneratorRequest, it may be possible that
some destructor in Blink (called in Oilpan's shutdown GC) calls some destructor
in content/, which may touch the still-live RTCCertificateGeneratorRequest,
which touches Blink and then crashes (we've caused many crashes like this). The
only reliable way to fix these crashes is to properly stop
RTCCertificateGeneratorRequest before calling blink::shutdown.

[haraken, 2016-07-28 12:12:06]

Sorry, I forgot to review this CL...

As discussed offline, let's land PS4 as a short-term fix. In long-term, we
should remove the graceful shutdown sequence (as discussed in
platform-architecture-dev@).

Given that PS4 is splitting  Platform::shutdown from blink::shutdown, shall we
split Platform::initialize from blink::initialize for consistency?

[esprehn, 2016-08-06 01:20:00]

What's the status here? :)

[tzik, 2016-08-08 07:20:09]

The CQ bit was checked by tzik@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-08-08 07:20:24]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[tzik, 2016-08-08 09:04:52]

On 2016/08/06 01:20:00, esprehn wrote:
> What's the status here? :)

Let me resume this.


> Given that PS4 is splitting  Platform::shutdown from blink::shutdown, shall we
> split Platform::initialize from blink::initialize for consistency?

Ok, I did split out blink::Platform::initialize from blink::initialize. Could
you take another look?

[commit-bot: I haz the power, 2016-08-08 10:08:44]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-08-08 10:08:45]

Dry run: This issue passed the CQ dry run.

[haraken, 2016-08-08 10:50:19]

LGTM

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/Sour...
File third_party/WebKit/Source/web/WebKit.cpp (right):

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/Sour...
third_party/WebKit/Source/web/WebKit.cpp:85: // Platform::initialize(platform);

Remove this.

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/publ...
File third_party/WebKit/public/web/WebKit.h (right):

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/publ...
third_party/WebKit/public/web/WebKit.h:40: // Platform must be initialized
before Blink initialization.

Can we add an assert for this?

[tzik, 2016-08-09 07:24:43]

The CQ bit was checked by tzik@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-08-09 07:25:23]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[tzik, 2016-08-09 08:48:45]

Description was changed from

==========
Shutdown renderer main message loop before blink::shutdown()

blink::Persistent requires all instances to be destroyed before ThreadState
shutdown, which happens in blink::shutdown(). However, some blink::Persistent
are held by MessageLoop as bound arguments. That causes renderer crash on the
destructor of blink::Persistent.

This CL moves MessageLoop shutdown before blink::shutdown, so that message
loop doesn't hold any task on ThreadState shutdown.

BUG=627004
==========

to

==========
Shutdown renderer main message loop before blink::shutdown()

blink::Persistent requires all instances to be destroyed before ThreadState
shutdown, which happens in blink::shutdown(). However, some blink::Persistent
are held by MessageLoop as bound arguments. That causes renderer crash on the
destructor of blink::Persistent.

This CL moves MessageLoop shutdown before blink::Platform::shutdown, so that
message loop doesn't hold any task on ThreadState shutdown.

BUG=627004
==========

[tzik, 2016-08-09 08:48:45]

tzik@chromium.org changed reviewers:
+ dalecurtis@google.com

[tzik, 2016-08-09 08:49:19]

tzik@chromium.org changed reviewers:
+ dalecurtis@chromium.org
- dalecurtis@google.com

[tzik, 2016-08-09 08:53:32]

tzik@chromium.org changed reviewers:
+ kinuko@chromium.org

[tzik, 2016-08-09 08:58:02]

PTAL to:
kinuko: //content, if you have time.
dalecurtis: //media
tkent: public/web

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/Sour...
File third_party/WebKit/Source/web/WebKit.cpp (right):

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/Sour...
third_party/WebKit/Source/web/WebKit.cpp:85: // Platform::initialize(platform);
On 2016/08/08 10:50:19, haraken wrote:
> 
> Remove this.

Done.

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/publ...
File third_party/WebKit/public/web/WebKit.h (right):

https://codereview.chromium.org/2159123002/diff/80001/third_party/WebKit/publ...
third_party/WebKit/public/web/WebKit.h:40: // Platform must be initialized
before Blink initialization.
On 2016/08/08 10:50:19, haraken wrote:
> 
> Can we add an assert for this?

Done.

[commit-bot: I haz the power, 2016-08-09 09:30:21]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-08-09 09:30:22]

Dry run: This issue passed the CQ dry run.

[kinuko, 2016-08-09 14:12:18]

https://codereview.chromium.org/2159123002/diff/80001/content/child/child_thr...
File content/child/child_thread_impl.h (right):

https://codereview.chromium.org/2159123002/diff/80001/content/child/child_thr...
content/child/child_thread_impl.h:185: base::SingleThreadTaskRunner*
main_task_runner() const {
main_thread_->main_task_runner() looks slightly cryptic, what 'main' stands for
here?

https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
File content/renderer/render_thread_impl.cc (right):

https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
content/renderer/render_thread_impl.cc:994: base::RunLoop().RunUntilIdle();
Hmm, I feel uneasy calling this in production code. Do we really have a
guarantee that this finishes? In browser process we prefer just dropping tasks
at least after processing limited # of tasks.

How frequently does the crash happen?

[haraken, 2016-08-09 15:46:58]

https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
File content/renderer/render_thread_impl.cc (right):

https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
content/renderer/render_thread_impl.cc:994: base::RunLoop().RunUntilIdle();
On 2016/08/09 14:12:18, kinuko wrote:
> Hmm, I feel uneasy calling this in production code. Do we really have a
> guarantee that this finishes? In browser process we prefer just dropping tasks
> at least after processing limited # of tasks.
> 
> How frequently does the crash happen?

Note that we're already calling RunUntilIdle at line 982. So this RunUntileIdle
won't make things that worse.

On the other hand, I totally agree with your point and that's why I want to
entirely remove the graceful shutdown sequence.

[DaleCurtis, 2016-08-09 18:58:20]

lgtm

[kinuko, 2016-08-11 06:10:56]

https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
File content/renderer/render_thread_impl.cc (right):

https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
content/renderer/render_thread_impl.cc:994: base::RunLoop().RunUntilIdle();
On 2016/08/09 15:46:58, haraken wrote:
> On 2016/08/09 14:12:18, kinuko wrote:
> > Hmm, I feel uneasy calling this in production code. Do we really have a
> > guarantee that this finishes? In browser process we prefer just dropping
tasks
> > at least after processing limited # of tasks.
> > 
> > How frequently does the crash happen?
> 
> Note that we're already calling RunUntilIdle at line 982. So this
RunUntileIdle
> won't make things that worse.
>
> On the other hand, I totally agree with your point and that's why I want to
> entirely remove the graceful shutdown sequence.

I see that we're already calling it... thanks.  Another question is if we are
sure that running message loop until idle runs tasks that need to run (e.g. no
delayed tasks would hold persistent handles)-- if not making this change as a
stop-gap doesn't feel very convincing to me (depending on the severity of the
original crash).

[haraken, 2016-08-11 12:23:13]

On 2016/08/11 06:10:56, kinuko wrote:
>
https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
> File content/renderer/render_thread_impl.cc (right):
> 
>
https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
> content/renderer/render_thread_impl.cc:994: base::RunLoop().RunUntilIdle();
> On 2016/08/09 15:46:58, haraken wrote:
> > On 2016/08/09 14:12:18, kinuko wrote:
> > > Hmm, I feel uneasy calling this in production code. Do we really have a
> > > guarantee that this finishes? In browser process we prefer just dropping
> tasks
> > > at least after processing limited # of tasks.
> > > 
> > > How frequently does the crash happen?
> > 
> > Note that we're already calling RunUntilIdle at line 982. So this
> RunUntileIdle
> > won't make things that worse.
> >
> > On the other hand, I totally agree with your point and that's why I want to
> > entirely remove the graceful shutdown sequence.
> 
> I see that we're already calling it... thanks.  Another question is if we are
> sure that running message loop until idle runs tasks that need to run (e.g. no
> delayed tasks would hold persistent handles)-- if not making this change as a
> stop-gap doesn't feel very convincing to me (depending on the severity of the
> original crash).

Honestly speaking, I don't think it's productive to try to make this CL more
correct :) If the original crash is not that severe, maybe should we try to
invest our effort on removing blink::shutdown instead?

[kinuko, 2016-08-16 21:36:00]

On 2016/08/11 12:23:13, haraken wrote:
> On 2016/08/11 06:10:56, kinuko wrote:
> >
>
https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
> > File content/renderer/render_thread_impl.cc (right):
> > 
> >
>
https://codereview.chromium.org/2159123002/diff/80001/content/renderer/render...
> > content/renderer/render_thread_impl.cc:994: base::RunLoop().RunUntilIdle();
> > On 2016/08/09 15:46:58, haraken wrote:
> > > On 2016/08/09 14:12:18, kinuko wrote:
> > > > Hmm, I feel uneasy calling this in production code. Do we really have a
> > > > guarantee that this finishes? In browser process we prefer just dropping
> > tasks
> > > > at least after processing limited # of tasks.
> > > > 
> > > > How frequently does the crash happen?
> > > 
> > > Note that we're already calling RunUntilIdle at line 982. So this
> > RunUntileIdle
> > > won't make things that worse.
> > >
> > > On the other hand, I totally agree with your point and that's why I want
to
> > > entirely remove the graceful shutdown sequence.
> > 
> > I see that we're already calling it... thanks.  Another question is if we
are
> > sure that running message loop until idle runs tasks that need to run (e.g.
no
> > delayed tasks would hold persistent handles)-- if not making this change as
a
> > stop-gap doesn't feel very convincing to me (depending on the severity of
the
> > original crash).
> 
> Honestly speaking, I don't think it's productive to try to make this CL more
> correct :) If the original crash is not that severe, maybe should we try to
> invest our effort on removing blink::shutdown instead?

Yep, that's what I'm asking if that could be the case.

[esprehn, 2016-08-30 23:35:05]

What's the status here? Can we close this now that we're removing graceful
shutdown? :)

[haraken, 2016-08-30 23:38:02]

On 2016/08/30 23:35:05, esprehn wrote:
> What's the status here? Can we close this now that we're removing graceful
> shutdown? :)

Yes, this should no longer be needed.