[Webkit-unassigned] [Bug 238493] IPC::Connection::UniqueID is not possible to use in thread safe manner
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 30 01:01:29 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=238493
--- Comment #2 from Kimmo Kinnunen <kkinnunen at apple.com> ---
IPC::Connection::send(UniqueID, ..) uses a lock to ensure that the instance is not deleted.
However, the instance could already be in its destructor when the lock is taken.
consider UniqueID==1, Connection instance = 0x1234
Thread A:
template<typename T>
bool Connection::send(UniqueID connectionID, T&& message, uint64_t destinationID, OptionSet<SendOption> sendOptions, std::optional<Thread::QOS> qos)
{
Locker locker { s_connectionMapLock };
auto* connection = connectionMap().get(connectionID);
if (!connection)
return false;
return connection->send(WTFMove(message), destinationID, sendOptions, qos); // <-- THREAD A here inside this for this=0x1234
}
Thread b:
Connection::~Connection()
{
// <--Thread B HERE for this=0x1234
ASSERT(RunLoop::isMain());
ASSERT(!isValid());
{
Locker locker { s_connectionMapLock };
connectionMap().remove(m_uniqueID);
}
clearAsyncReplyHandlers(*this);
}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220330/3cc4fcc8/attachment-0001.htm>
More information about the webkit-unassigned
mailing list