|
|
DescriptionDestroy bound callback to BindToCurrentLoop on the target task runner
A callback object bound by BindToCurrentLoop runs on the target thread,
but the callback itself was not necessarily destroyed on the target
thread. That causes a data race when a non-thread-safe RefCounted objects
is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer
in content::ContentDecryptorDelegate::DeliverFrame().)
This CL refactors BindToCurrentLoop and adds a clean up task to mitigate
the racy usage.
BUG=688072
Review-Url: https://codereview.chromium.org/2712603002
Cr-Commit-Position: refs/heads/master@{#454212}
Committed: https://chromium.googlesource.com/chromium/src/+/2b817313110d51783e803320cd2d102c51166742
Patch Set 1 #Patch Set 2 : rebase on callback_holder CL #
Total comments: 2
Patch Set 3 : +test #
Total comments: 2
Patch Set 4 : const-ref -> value #
Total comments: 2
Patch Set 5 : +inline #Messages
Total messages: 42 (30 generated)
The CQ bit was checked by tzik@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: cast_shell_linux on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) chromeos_amd64-generic_chromium_compile_only_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) chromeos_daisy_chromium_compile_only_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) chromium_presubmit on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) linux_chromium_chromeos_ozone_rel_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) linux_chromium_compile_dbg_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL) linux_chromium_tsan_rel_ng on master.tryserver.chromium.linux (JOB_TIMED_OUT, no build URL)
The CQ bit was checked by tzik@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Description was changed from ========== Overhaul BindToCurrentLoop BUG= ========== to ========== Destroy bound callback by BindToCurrentLoop on the target task runner 123456789012345678901234567890123456789012345678901234567890123456789012 A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the race. ==========
Description was changed from ========== Destroy bound callback by BindToCurrentLoop on the target task runner 123456789012345678901234567890123456789012345678901234567890123456789012 A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the race. ========== to ========== Destroy bound callback by BindToCurrentLoop on the target task runner 123456789012345678901234567890123456789012345678901234567890123456789012 A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the racy usage. ==========
Description was changed from ========== Destroy bound callback by BindToCurrentLoop on the target task runner 123456789012345678901234567890123456789012345678901234567890123456789012 A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the racy usage. ========== to ========== Destroy bound callback by BindToCurrentLoop on the target task runner A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the racy usage. BUG=688072 ==========
tzik@chromium.org changed reviewers: + xhwang@chromium.org
PTAL
Description was changed from ========== Destroy bound callback by BindToCurrentLoop on the target task runner A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the racy usage. BUG=688072 ========== to ========== Destroy bound callback to BindToCurrentLoop on the target task runner A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the racy usage. BUG=688072 ==========
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_tsan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by tzik@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
xhwang@chromium.org changed reviewers: + danakj@chromium.org, johnme@chromium.org
Add johnme and danakj, who were involved in similar discussion before. You can see the previous CL at https://chromiumcodereview.appspot.com/1082113004/ We also talked about moving BindToCurrentLoop to base/ at https://bugs.chromium.org/p/chromium/issues/detail?id=432381 I haven't take a detailed look yet, which I'll do tonight or tomorrow.
The change looks good to me. Can you add a unit test for the case where the callback never runs and is destroyed?
https://codereview.chromium.org/2712603002/diff/20001/media/base/bind_to_curr... File media/base/bind_to_current_loop.h (right): https://codereview.chromium.org/2712603002/diff/20001/media/base/bind_to_curr... media/base/bind_to_current_loop.h:55: std::move(callback_))); Isn't this thread-racey? The last reference in the return from Bind may be destroyed in ~TrampolineHelper or in ClearCallbackOnTargetTaskRunner, which are on different threads. You should used base::Passed and take the callback by value in the Clear method I think?
The CQ bit was checked by tzik@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
https://codereview.chromium.org/2712603002/diff/20001/media/base/bind_to_curr... File media/base/bind_to_current_loop.h (right): https://codereview.chromium.org/2712603002/diff/20001/media/base/bind_to_curr... media/base/bind_to_current_loop.h:55: std::move(callback_))); On 2017/02/23 21:29:06, danakj wrote: > Isn't this thread-racey? The last reference in the return from Bind may be > destroyed in ~TrampolineHelper or in ClearCallbackOnTargetTaskRunner, which are > on different threads. You should used base::Passed and take the callback by > value in the Clear method I think? Ah, good point. Right, it was still racy. Updated!
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
https://codereview.chromium.org/2712603002/diff/40001/media/base/bind_to_curr... File media/base/bind_to_current_loop.h (right): https://codereview.chromium.org/2712603002/diff/40001/media/base/bind_to_curr... media/base/bind_to_current_loop.h:59: static void ClearCallbackOnTargetTaskRunner(const CallbackType&) {} This should receive by value so the Callback can move() it here right? Else it's still left inside the callback?
The CQ bit was checked by tzik@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
https://codereview.chromium.org/2712603002/diff/40001/media/base/bind_to_curr... File media/base/bind_to_current_loop.h (right): https://codereview.chromium.org/2712603002/diff/40001/media/base/bind_to_curr... media/base/bind_to_current_loop.h:59: static void ClearCallbackOnTargetTaskRunner(const CallbackType&) {} On 2017/02/28 18:28:04, danakj_OOO wrote: > This should receive by value so the Callback can move() it here right? Else it's > still left inside the callback? Hm, yes, this should be passed by value, though base::Passed() passes it by value and destroy it anyway. Updated.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
LGTM https://codereview.chromium.org/2712603002/diff/60001/media/base/bind_to_curr... File media/base/bind_to_current_loop.h (right): https://codereview.chromium.org/2712603002/diff/60001/media/base/bind_to_curr... media/base/bind_to_current_loop.h:85: base::Callback<T> BindToCurrentLoop(base::Callback<T> cb) { should this be marked inline?
lgtm, thanks!
https://codereview.chromium.org/2712603002/diff/60001/media/base/bind_to_curr... File media/base/bind_to_current_loop.h (right): https://codereview.chromium.org/2712603002/diff/60001/media/base/bind_to_curr... media/base/bind_to_current_loop.h:85: base::Callback<T> BindToCurrentLoop(base::Callback<T> cb) { On 2017/03/01 17:10:42, danakj wrote: > should this be marked inline? Done.
The CQ bit was checked by tzik@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from danakj@chromium.org, xhwang@chromium.org Link to the patchset: https://codereview.chromium.org/2712603002/#ps80001 (title: "+inline")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch. Bot data: {"patchset_id": 80001, "attempt_start_ts": 1488437378578820, "parent_rev": "460361ba8ca8615d1794caa3e6dc517634798b4f", "commit_rev": "2b817313110d51783e803320cd2d102c51166742"}
Message was sent while issue was closed.
Description was changed from ========== Destroy bound callback to BindToCurrentLoop on the target task runner A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the racy usage. BUG=688072 ========== to ========== Destroy bound callback to BindToCurrentLoop on the target task runner A callback object bound by BindToCurrentLoop runs on the target thread, but the callback itself was not necessarily destroyed on the target thread. That causes a data race when a non-thread-safe RefCounted objects is bound to the callback. (E.g. a BindToCurrentLoop call for PPB_Buffer in content::ContentDecryptorDelegate::DeliverFrame().) This CL refactors BindToCurrentLoop and adds a clean up task to mitigate the racy usage. BUG=688072 Review-Url: https://codereview.chromium.org/2712603002 Cr-Commit-Position: refs/heads/master@{#454212} Committed: https://chromium.googlesource.com/chromium/src/+/2b817313110d51783e803320cd2d... ==========
Message was sent while issue was closed.
Committed patchset #5 (id:80001) as https://chromium.googlesource.com/chromium/src/+/2b817313110d51783e803320cd2d... |