search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: d4862e3) | patch
Check whether the worker was terminated before accessing its backing thread
commitc3825983feeacc2067d9387e119db3e430dd2b2a
authorskyostil@chromium.org <skyostil@chromium.org>
Thu, 28 May 2015 13:07:02 +0000 (28 13:07 +0000)
committerskyostil@chromium.org <skyostil@chromium.org>
Thu, 28 May 2015 13:07:02 +0000 (28 13:07 +0000)
treeb64fcf2026c089f6a17da5913545485354e7c274tree | snapshot (tar.gz zip)
parentd4862e3415dc54e52295bf128ffe6d9eea131ddbcommit | diff
Check whether the worker was terminated before accessing its backing thread

This patch fixes a race condition in WorkerThread initialization which
can lead to a null pointer dereference. An example triggering sequence
of events is:

Main thread                                  Worker thread
-----------                                  -------------
1. ServiceWorkerThread::start
   |                              postTask
    '----------------------------------------.
                                             |
                                             V

2. ~ServiceWorkerThread                      3. ServiceWorkerThread::initialize
   => ~WebThreadSupportingGC                    => derefs backingThread().platformThread()
   => backingThread().platformThread()          => segfault
      becomes null.

In other words, the worker thread is terminated before it has a chance
to run the posted WorkerThread::initialize() function.

The fix is to check whether the thread was terminated before assuming
the backing thread is still valid.

BUG=492592

Review URL: https://codereview.chromium.org/1149833011

git-svn-id: svn://svn.chromium.org/blink/trunk@196058 bbb929c8-8fbe-4397-9dbb-9b2b20218538
third_party/WebKit/Source/core/workers/WorkerThread.cpp diff | blob | blame | history