[Webkit-unassigned] [Bug 171319] New: sendMessageScoped's signal handler calls LocklessBag::consumeAll, which causes heap deallocation in signal handler and leads deadlock

Wed Apr 26 03:11:27 PDT 2017

https://bugs.webkit.org/show_bug.cgi?id=171319

            Bug ID: 171319
           Summary: sendMessageScoped's signal handler calls
                    LocklessBag::consumeAll, which causes heap
                    deallocation in signal handler and leads deadlock
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Web Template Framework
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: utatane.tea at gmail.com

In sendMessageScoped, we call LocklessBag<SignalHandler>::consumeAll `thread->threadMessages().consumeAll()`.
In LocklessBag::consumeAll, we call `delete` on Nodes.
The problem is that this is called under the context of signal handler. Thus, when calling this, the original
thread may hold the lock in bmalloc. In that case, this `delete` call attempts to lock the heap lock recursively,
and causes deadlock.

Making heap lock to recursive one easily breaks invariant guarded by that lock in bmalloc.
Should not do that. I believe the correct way to solve it is not calling heap functions inside signal handler.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170426/66804722/attachment-0001.html>