| commit | 5c68fc8efaa02e7f223e19fadbb51430512d5a86 | |
| author | skyostil@chromium.org <skyostil@chromium.org> | |
| Tue, 16 Jun 2015 21:13:03 +0000 (16 21:13 +0000) | ||
| committer | skyostil@chromium.org <skyostil@chromium.org> | |
| Tue, 16 Jun 2015 21:13:03 +0000 (16 21:13 +0000) | ||
| tree | f746a2334ee9b66bec9d21d5b0a804a4955378b2 | treesnapshot (tar.gz zip) |
| parent | 801ab5fa68f6feb2ef55bba2a7fb781a92236a3f | commitdiff |
Fix a race condition during worker thread initialization
This patch fixes a race condition which can result in a worker thread
accessing freed memory during its initialization. One possible sequence
of events is:
1. The main thread creates the worker thread and posts a task to run
WorkerThread::initialize().
2. Immediately after this, the main thread calls
WorkerThread::terminateAndWait() to shut down the worker thread.
3. WorkerThread::terminateAndWait() notices that the worker hasn't
initialized yet and signals m_terminationEvent.
4. The caller of terminateAndWait() assumes that the WorkerThread has
been terminated and deallocates either the WorkerThread itself or
some object that it depends on.
5. Finally, WorkerThread::initialize starts to run on the worker thread,
accessing memory freed in step #4.
The fix is to always signal m_terminationEvent from the worker thread to
guarantee that we don't think the thread terminated before it actually
did.
BUG=499153
Review URL: https://codereview.chromium.org/1184833002
git-svn-id: svn://svn.chromium.org/blink/trunk@197196 bbb929c8-8fbe-4397-9dbb-9b2b20218538
This patch fixes a race condition which can result in a worker thread
accessing freed memory during its initialization. One possible sequence
of events is:
1. The main thread creates the worker thread and posts a task to run
WorkerThread::initialize().
2. Immediately after this, the main thread calls
WorkerThread::terminateAndWait() to shut down the worker thread.
3. WorkerThread::terminateAndWait() notices that the worker hasn't
initialized yet and signals m_terminationEvent.
4. The caller of terminateAndWait() assumes that the WorkerThread has
been terminated and deallocates either the WorkerThread itself or
some object that it depends on.
5. Finally, WorkerThread::initialize starts to run on the worker thread,
accessing memory freed in step #4.
The fix is to always signal m_terminationEvent from the worker thread to
guarantee that we don't think the thread terminated before it actually
did.
BUG=499153
Review URL: https://codereview.chromium.org/1184833002
git-svn-id: svn://svn.chromium.org/blink/trunk@197196 bbb929c8-8fbe-4397-9dbb-9b2b20218538
| third_party/WebKit/Source/core/workers/WorkerThread.cpp | diffblobblamehistory | |
| third_party/WebKit/Source/core/workers/WorkerThreadTest.cpp | diffblobblamehistory |