[Webkit-unassigned] [Bug 65263] New: MessageQueue::waitForMessageFilteredWithTimeout can triggers an assertion

Wed Jul 27 09:18:08 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=65263

           Summary: MessageQueue::waitForMessageFilteredWithTimeout can
                    triggers an assertion
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Web Template Framework
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: kbalazs at webkit.org

Actually anything that assigns a value to an already initialized iterator of m_queue can trigger an invalid assertion.
This has also spotted in https://bugs.webkit.org/show_bug.cgi?id=31657.
waitForMessageFilteredWithTimeout has the following loop:

while (!m_killed && !timedOut && (found = m_queue.findIf(predicate)) == m_queue.end())
    timedOut = !m_condition.timedWait(m_mutex, absoluteTime);

The situation that leads to an invalid assertion is the following:
 - this loop is waiting on m_condition
 - during that another thread calls something that modify m_queue that invalidate's it's iterators (i.e. Deque::invalidateIterators will be called on m_queue)
 - when the loop is awakening it will reassign the iterator 'found' that is in an invalidated state
 - DequeIteratorBase::operator= -> checkValidity -> ASSERT(m_queue) will fail

The solution can be the same as in #31657 i.e. make the iterator local to the loop.
There is no code in WebKit that currently triggers this. I triggered it with my patch that had been uploaded as https://bug-63531-attachments.webkit.org/attachment.cgi?id=101999.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.