Avoid unsafe heap access from audio thread.

third_party/WebKit/Source/modules/webaudio/BaseAudioContext.h

 /*
  * Copyright (C) 2010, Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1.  Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 255 matching lines @@
   // When a source node has no more processing to do (has finished playing),
   // this method tells the context to release the corresponding node.
   void NotifySourceNodeFinishedProcessing(AudioHandler*);
 
   // Called at the start of each render quantum.
   void HandlePreRenderTasks(const AudioIOPosition& output_position);
 
   // Called at the end of each render quantum.
   void HandlePostRenderTasks();
 
-  // Called periodically at the end of each render quantum to release
-  // finished source nodes.  Updates m_finishedSourceNodes with nodes
-  // to be deleted.  Returns true if any node needs deletion.  Must be
-  // run from the audio thread.
-  bool ReleaseFinishedSourceNodes();
-
-  // The finished source nodes found by |releaseFinishedSourceNodes|
-  // will be removed on the main thread, which is done here.
-  void RemoveFinishedSourceNodes(bool needs_removal);
-
   // Keeps track of the number of connections made.
   void IncrementConnectionCount() {
     DCHECK(IsMainThread());
     connection_count_++;
   }
 
   unsigned ConnectionCount() const { return connection_count_; }
 
   DeferredTaskHandler& GetDeferredTaskHandler() const {
     return *deferred_task_handler_;
@@ skipping 110 matching lines @@
     kAutoplayStatusCount
   };
 
   bool is_cleared_;
   void Clear();
 
   // When the context goes away, there might still be some sources which
   // haven't finished playing.  Make sure to release them here.
   void ReleaseActiveSourceNodes();
 
-  // Actually remove the nodes noted for deletion by
-  // releaseFinishedSourceNodes.  Must be run from the main thread,
-  // and must not be run with the context lock.
-  void RemoveFinishedSourceNodesOnMainThread();
-
   // Returns the Document wich wich the instance is associated.
   Document* GetDocument() const;
 
   // Returns the AutoplayPolicy currently applying to this instance.
   AutoplayPolicy::Type GetAutoplayPolicy() const;
 
   // Returns whether the autoplay requirements are fulfilled.
   bool AreAutoplayRequirementsFulfilled() const;
 
   // Listener for the PannerNodes
   Member<AudioListener> listener_;
 
-  // Only accessed in the audio thread.
+  // Accessed by audio thread and main thread, coordinated using
+  // the associated mutex.
+  //
   // These raw pointers are safe because AudioSourceNodes in
-  // m_activeSourceNodes own them.
+  // active_source_nodes_ own them.
+  Mutex finished_source_handlers_mutex_;
   Vector<AudioHandler*> finished_source_handlers_;
 
   // List of source nodes. This is either accessed when the graph lock is
   // held, or on the main thread when the audio thread has finished.
   // Oilpan: This Vector holds connection references. We must call
   // AudioHandler::makeConnection when we add an AudioNode to this, and must
   // call AudioHandler::breakConnection() when we remove an AudioNode from
   // this.
   HeapVector<Member<AudioNode>> active_source_nodes_;
 
-  // The main thread controls m_activeSourceNodes, all updates and additions
-  // are performed by it. When the audio thread marks a source node as finished,
-  // the nodes are added to |m_finishedSourceNodes| and scheduled for removal
-  // from |m_activeSourceNodes| by the main thread.
-  HashSet<UntracedMember<AudioNode>> finished_source_nodes_;
-
   // FIXME(dominicc): Move these to AudioContext because only
   // it creates these Promises.
   // Handle Promises for resume() and suspend()
   void ResolvePromisesForResume();
-  void ResolvePromisesForResumeOnMainThread();
+
+  void PerformCleanupOnMainThread();
+  void ScheduleMainThreadCleanup();
 
   // When the context is going away, reject any pending script promise
   // resolvers.
   virtual void RejectPendingResolvers();
 
   // Record the current autoplay status and clear it.
   void RecordAutoplayStatus();
 
   // True if we're in the process of resolving promises for resume().  Resolving
   // can take some time and the audio context process loop is very fast, so we
   // don't want to call resolve an excessive number of times.
   bool is_resolving_resume_promises_;
 
+  // Set to |true| by the audio thread when it posts a main-thread task to
+  // perform delayed state sync'ing updates that needs to be done on the main
+  // thread. Cleared by the main thread task once it has run.
+  bool has_posted_cleanup_task_;
+
   // Whether a user gesture is required to start this AudioContext.
   bool user_gesture_required_;
 
   unsigned connection_count_;
 
   // Graph locking.
   RefPtr<DeferredTaskHandler> deferred_task_handler_;
 
   // The state of the BaseAudioContext.
   AudioContextState context_state_;
@@ skipping 28 matching lines @@
   // It is somewhat arbitrary and could be increased if necessary.
   enum { kMaxNumberOfChannels = 32 };
 
   Optional<AutoplayStatus> autoplay_status_;
   AudioIOPosition output_position_;
 };
 
 }  // namespace blink
 
 #endif  // BaseAudioContext_h