[Webkit-unassigned] [Bug 171319] New: sendMessageScoped's signal handler calls LocklessBag::consumeAll, which causes heap deallocation in signal handler and leads deadlock
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 26 03:11:27 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171319
Bug ID: 171319
Summary: sendMessageScoped's signal handler calls
LocklessBag::consumeAll, which causes heap
deallocation in signal handler and leads deadlock
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Web Template Framework
Assignee: webkit-unassigned at lists.webkit.org
Reporter: utatane.tea at gmail.com
In sendMessageScoped, we call LocklessBag<SignalHandler>::consumeAll `thread->threadMessages().consumeAll()`.
In LocklessBag::consumeAll, we call `delete` on Nodes.
The problem is that this is called under the context of signal handler. Thus, when calling this, the original
thread may hold the lock in bmalloc. In that case, this `delete` call attempts to lock the heap lock recursively,
and causes deadlock.
Making heap lock to recursive one easily breaks invariant guarded by that lock in bmalloc.
Should not do that. I believe the correct way to solve it is not calling heap functions inside signal handler.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170426/66804722/attachment-0001.html>
More information about the webkit-unassigned
mailing list