[Webkit-unassigned] [Bug 238493] IPC::Connection::UniqueID is not possible to use in thread safe manner
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 30 07:08:11 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=238493
--- Comment #3 from Chris Dumez <cdumez at apple.com> ---
(In reply to Kimmo Kinnunen from comment #2)
> IPC::Connection::send(UniqueID, ..) uses a lock to ensure that the instance
> is not deleted.
>
> However, the instance could already be in its destructor when the lock is
> taken.
>
> consider UniqueID==1, Connection instance = 0x1234
>
> Thread A:
>
> template<typename T>
> bool Connection::send(UniqueID connectionID, T&& message, uint64_t
> destinationID, OptionSet<SendOption> sendOptions, std::optional<Thread::QOS>
> qos)
> {
> Locker locker { s_connectionMapLock };
> auto* connection = connectionMap().get(connectionID);
> if (!connection)
> return false;
> return connection->send(WTFMove(message), destinationID, sendOptions,
> qos); // <-- THREAD A here inside this for this=0x1234
> }
>
>
> Thread b:
>
> Connection::~Connection()
> {
> // <--Thread B HERE for this=0x1234
>
> ASSERT(RunLoop::isMain());
> ASSERT(!isValid());
>
>
> {
> Locker locker { s_connectionMapLock };
> connectionMap().remove(m_uniqueID);
> }
>
> clearAsyncReplyHandlers(*this);
> }
Yes, it could be at the very beginning of its destructor. What is the (thread-safety) bug? At the point the destructor takes the locks in the destructor, nothing has been destroyed yet and it is still safe to call Connection::send(). One thing that would be unsafe would be to ref the connection but I made sure the static functions that are use uniqueID don't do that.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220330/92347eb5/attachment-0001.htm>
More information about the webkit-unassigned
mailing list