Avoid unsafe heap access from audio thread.

third_party/WebKit/Source/modules/webaudio/BaseAudioContext.cpp

 /*
  * Copyright (C) 2010, Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1.  Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2.  Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 77 matching lines @@
 
 // FIXME(dominicc): Devolve these constructors to AudioContext
 // and OfflineAudioContext respectively.
 
 // Constructor for rendering to the audio hardware.
 BaseAudioContext::BaseAudioContext(Document* document)
     : SuspendableObject(document),
       destination_node_(nullptr),
       is_cleared_(false),
       is_resolving_resume_promises_(false),
+      has_posted_cleanup_task_(false),
       user_gesture_required_(false),
       connection_count_(0),
       deferred_task_handler_(DeferredTaskHandler::Create()),
       context_state_(kSuspended),
       closed_context_sample_rate_(-1),
       periodic_wave_sine_(nullptr),
       periodic_wave_square_(nullptr),
       periodic_wave_sawtooth_(nullptr),
       periodic_wave_triangle_(nullptr),
       output_position_() {
@@ skipping 34 matching lines @@
       periodic_wave_sawtooth_(nullptr),
       periodic_wave_triangle_(nullptr),
       output_position_() {}
 
 BaseAudioContext::~BaseAudioContext() {
   GetDeferredTaskHandler().ContextWillBeDestroyed();
   // AudioNodes keep a reference to their context, so there should be no way to
   // be in the destructor if there are still AudioNodes around.
   DCHECK(!IsDestinationInitialized());
   DCHECK(!active_source_nodes_.size());
-  DCHECK(!finished_source_handlers_.size());
   DCHECK(!is_resolving_resume_promises_);
   DCHECK(!resume_resolvers_.size());
   DCHECK(!autoplay_status_.has_value());
 }
 
 void BaseAudioContext::Initialize() {
   if (IsDestinationInitialized())
     return;
 
   FFTFrame::Initialize();
@@ skipping 530 matching lines @@
                              WrapPersistent(this)));
 }
 
 void BaseAudioContext::NotifyStateChange() {
   DispatchEvent(Event::Create(EventTypeNames::statechange));
 }
 
 void BaseAudioContext::NotifySourceNodeFinishedProcessing(
     AudioHandler* handler) {
   DCHECK(IsAudioThread());
+  MutexLocker lock(finished_source_handlers_mutex_);
   finished_source_handlers_.push_back(handler);
 }
 
-void BaseAudioContext::RemoveFinishedSourceNodes(bool needs_removal) {
-  DCHECK(IsAudioThread());
-
-  if (needs_removal) {
-    Platform::Current()->MainThread()->GetWebTaskRunner()->PostTask(
-        BLINK_FROM_HERE,
-        CrossThreadBind(
-            &BaseAudioContext::RemoveFinishedSourceNodesOnMainThread,
-            WrapCrossThreadPersistent(this)));
-  }
-}
-
-void BaseAudioContext::RemoveFinishedSourceNodesOnMainThread() {
-  DCHECK(IsMainThread());
-  AutoLocker locker(this);
-  // Quadratic worst case, but sizes of both vectors are considered
-  // manageable, especially |m_finishedSourceNodes| is likely to be short.
-  for (AudioNode* node : finished_source_nodes_) {
-    size_t i = active_source_nodes_.Find(node);
-    if (i != kNotFound)
-      active_source_nodes_.erase(i);
-  }
-  finished_source_nodes_.clear();
-}
-
 Document* BaseAudioContext::GetDocument() const {
   return ToDocument(GetExecutionContext());
 }
 
 AutoplayPolicy::Type BaseAudioContext::GetAutoplayPolicy() const {
   Document* document = GetDocument();
   DCHECK(document);
   return AutoplayPolicy::GetAutoplayPolicyForDocument(*document);
 }
 
 bool BaseAudioContext::AreAutoplayRequirementsFulfilled() const {
   switch (GetAutoplayPolicy()) {
     case AutoplayPolicy::Type::kNoUserGestureRequired:
       return true;
     case AutoplayPolicy::Type::kUserGestureRequired:
     case AutoplayPolicy::Type::kUserGestureRequiredForCrossOrigin:
       return UserGestureIndicator::ProcessingUserGesture();
     case AutoplayPolicy::Type::kDocumentUserActivationRequired:
       return GetDocument()->GetFrame() &&
              GetDocument()->GetFrame()->HasReceivedUserGesture();
   }
 
   NOTREACHED();
   return false;
 }
 
-bool BaseAudioContext::ReleaseFinishedSourceNodes() {
-  DCHECK(IsGraphOwner());
-  DCHECK(IsAudioThread());
-  bool did_remove = false;
-  for (AudioHandler* handler : finished_source_handlers_) {
-    for (AudioNode* node : active_source_nodes_) {
-      if (finished_source_nodes_.Contains(node))
-        continue;
-      if (handler == &node->Handler()) {
-        handler->BreakConnection();
-        finished_source_nodes_.insert(node);
-        did_remove = true;
-        break;
-      }
-    }
-  }
-  finished_source_handlers_.clear();
-  return did_remove;
-}
-
 void BaseAudioContext::NotifySourceNodeStartedProcessing(AudioNode* node) {
   DCHECK(IsMainThread());
   AutoLocker locker(this);
 
   active_source_nodes_.push_back(node);
   node->Handler().MakeConnection();
 }
 
 void BaseAudioContext::ReleaseActiveSourceNodes() {
   DCHECK(IsMainThread());
   for (auto& source_node : active_source_nodes_)
     source_node->Handler().BreakConnection();
 
   active_source_nodes_.clear();
 }
 
 void BaseAudioContext::HandleStoppableSourceNodes() {
+  DCHECK(IsAudioThread());
   DCHECK(IsGraphOwner());
 
-  // Find AudioBufferSourceNodes to see if we can stop playing them.
-  for (AudioNode* node : active_source_nodes_) {
-    // If the AudioNode has been marked as finished and released by
-    // the audio thread, but not yet removed by the main thread
-    // (see releaseActiveSourceNodes() above), |node| must not be
-    // touched as its handler may have been released already.
-    if (finished_source_nodes_.Contains(node))
-      continue;
-    if (node->Handler().GetNodeType() ==
-        AudioHandler::kNodeTypeAudioBufferSource) {
-      AudioBufferSourceNode* source_node =
-          static_cast<AudioBufferSourceNode*>(node);
-      source_node->GetAudioBufferSourceHandler().HandleStoppableSourceNode();
-    }
-  }
+  if (active_source_nodes_.size())
+    ScheduleMainThreadCleanup();
 }
 
 void BaseAudioContext::HandlePreRenderTasks(
     const AudioIOPosition& output_position) {
   DCHECK(IsAudioThread());
 
   // At the beginning of every render quantum, try to update the internal
   // rendering graph state (from main thread changes).  It's OK if the tryLock()
   // fails, we'll just take slightly longer to pick up the changes.
   if (TryLock()) {
@@ skipping 16 matching lines @@
 }
 
 void BaseAudioContext::HandlePostRenderTasks() {
   DCHECK(IsAudioThread());
 
   // Must use a tryLock() here too.  Don't worry, the lock will very rarely be
   // contended and this method is called frequently.  The worst that can happen
   // is that there will be some nodes which will take slightly longer than usual
   // to be deleted or removed from the render graph (in which case they'll
   // render silence).
-  bool did_remove = false;
   if (TryLock()) {
     // Take care of AudioNode tasks where the tryLock() failed previously.
     GetDeferredTaskHandler().BreakConnections();
 
-    // Dynamically clean up nodes which are no longer needed.
-    did_remove = ReleaseFinishedSourceNodes();
-
     GetDeferredTaskHandler().HandleDeferredTasks();
     GetDeferredTaskHandler().RequestToDeleteHandlersOnMainThread();
 
     unlock();
   }
-
-  RemoveFinishedSourceNodes(did_remove);
 }
 
-void BaseAudioContext::ResolvePromisesForResumeOnMainThread() {
+void BaseAudioContext::PerformCleanupOnMainThread() {
   DCHECK(IsMainThread());
   AutoLocker locker(this);
 
-  for (auto& resolver : resume_resolvers_) {
-    if (context_state_ == kClosed) {
-      resolver->Reject(DOMException::Create(
-          kInvalidStateError, "Cannot resume a context that has been closed"));
-    } else {
-      SetContextState(kRunning);
-      resolver->Resolve();
+  if (is_resolving_resume_promises_) {
+    for (auto& resolver : resume_resolvers_) {
+      if (context_state_ == kClosed) {
+        resolver->Reject(DOMException::Create(
+            kInvalidStateError,
+            "Cannot resume a context that has been closed"));
+      } else {
+        SetContextState(kRunning);
+        resolver->Resolve();
+      }
     }
+    resume_resolvers_.clear();
+    is_resolving_resume_promises_ = false;
   }
 
-  resume_resolvers_.clear();
-  is_resolving_resume_promises_ = false;
+  if (active_source_nodes_.size()) {
+    // Find AudioBufferSourceNodes to see if we can stop playing them.
+    for (AudioNode* node : active_source_nodes_) {
+      if (node->Handler().GetNodeType() ==
+          AudioHandler::kNodeTypeAudioBufferSource) {
+        AudioBufferSourceNode* source_node =
+            static_cast<AudioBufferSourceNode*>(node);
+        source_node->GetAudioBufferSourceHandler().HandleStoppableSourceNode();
+      }
+    }
+
+    Vector<AudioHandler*> finished_handlers;
+    {
+      MutexLocker lock(finished_source_handlers_mutex_);
+      finished_source_handlers_.swap(finished_handlers);
+    }
+    // Break the connection and release active nodes that have finished
+    // playing.
+    unsigned remove_count = 0;
+    Vector<bool> removables;
+    removables.resize(active_source_nodes_.size());
+    for (AudioHandler* handler : finished_handlers) {
+      for (unsigned i = 0; i < active_source_nodes_.size(); ++i) {
+        if (handler == &active_source_nodes_[i]->Handler()) {
+          handler->BreakConnection();
+          removables[i] = true;
+          remove_count++;
+          break;
+        }
+      }
+    }
+
+    // Copy over the surviving active nodes.
+    HeapVector<Member<AudioNode>> actives;
+    actives.ReserveInitialCapacity(active_source_nodes_.size() - remove_count);
+    for (unsigned i = 0; i < removables.size(); ++i) {
+      if (!removables[i])
+        actives.push_back(active_source_nodes_[i]);
+    }
+    active_source_nodes_.swap(actives);
+  }
+  has_posted_cleanup_task_ = false;
+}
+
+void BaseAudioContext::ScheduleMainThreadCleanup() {
+  if (has_posted_cleanup_task_)
+    return;
+  Platform::Current()->MainThread()->GetWebTaskRunner()->PostTask(
+      BLINK_FROM_HERE,
+      CrossThreadBind(&BaseAudioContext::PerformCleanupOnMainThread,
+                      WrapCrossThreadPersistent(this)));
+  has_posted_cleanup_task_ = true;
 }
 
 void BaseAudioContext::ResolvePromisesForResume() {
   // This runs inside the BaseAudioContext's lock when handling pre-render
   // tasks.
   DCHECK(IsAudioThread());
   DCHECK(IsGraphOwner());
 
   // Resolve any pending promises created by resume(). Only do this if we
   // haven't already started resolving these promises. This gets called very
   // often and it takes some time to resolve the promises in the main thread.
   if (!is_resolving_resume_promises_ && resume_resolvers_.size() > 0) {
     is_resolving_resume_promises_ = true;
-    Platform::Current()->MainThread()->GetWebTaskRunner()->PostTask(
-        BLINK_FROM_HERE,
-        CrossThreadBind(&BaseAudioContext::ResolvePromisesForResumeOnMainThread,
-                        WrapCrossThreadPersistent(this)));
+    ScheduleMainThreadCleanup();
   }
 }
 
 void BaseAudioContext::RejectPendingDecodeAudioDataResolvers() {
   // Now reject any pending decodeAudioData resolvers
   for (auto& resolver : decode_audio_resolvers_)
     resolver->Reject(DOMException::Create(kInvalidStateError,
                                           "Audio context is going away"));
   decode_audio_resolvers_.clear();
 }
@@ skipping 115 matching lines @@
 }
 
 SecurityOrigin* BaseAudioContext::GetSecurityOrigin() const {
   if (GetExecutionContext())
     return GetExecutionContext()->GetSecurityOrigin();
 
   return nullptr;
 }
 
 }  // namespace blink