[Webkit-unassigned] [Bug 195605] makeWeakPtr isn't thread-safe

Mon Mar 11 22:12:18 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=195605

Ryosuke Niwa <rniwa at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fpizlo at apple.com,
                   |                            |ggaren at apple.com,
                   |                            |keith_miller at apple.com,
                   |                            |mark.lam at apple.com,
                   |                            |sbarati at apple.com

--- Comment #1 from Ryosuke Niwa <rniwa at webkit.org> ---
(In reply to Fujii Hironori from comment #0)
> makeWeakPtr isn't thread-safe even though it is called in non main threads.
> This can be problem if multiple threads would call makeWeakPtr
> simultaneously.
> 
> WeakPtrFactory::createWeakPtr reads/writes 'm_ref' member variable without
> locking mutex.
> https://trac.webkit.org/browser/webkit/trunk/Source/WTF/wtf/WeakPtr.
> h?rev=242387#L109
> 
> > WeakPtr<T> createWeakPtr(T& ptr) const
> > {
> >     if (!m_ref)
> >         m_ref = WeakReference<T>::create(&ptr);
> >     return { makeRef(*m_ref) };
> > }
> 
> The simple solution is making WeakPtrFactory::m_ref always have a reference
> to a instance of WeakReference by calling createWeakPtr in WeakPtrFactory
> ctor.

It's important that WeakReference<T> is constructed lazily. I think we should do make the assignment to m_ref atomic.

Maybe we can use std::atomic<WeakReference<T>*> m_ref then manually call ref() / deref()? I'm sure others have a better idea than this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190312/418a2bfb/attachment-0001.html>