Changeset 173201 in webkit

Timestamp:

Sep 3, 2014 12:26:52 AM (10 years ago)

Author:

zandobersek@gmail.com

Message:

GMainLoopSource is exposed to race conditions
​https://bugs.webkit.org/show_bug.cgi?id=135800

Reviewed by Carlos Garcia Campos.

Source/WTF:

GMainLoopSource objects can be dispatching tasks on one thread
while having a new task scheduled on a different thread. This
can for instance occur in WebKitVideoSink, where the timeout
callback can be called on main thread while at the same time
it is being rescheduled on a different thread (created through
GStreamer).

The initial solution is to use GMutex to prevent parallel data
access from different threads. In the future I plan to add better
assertions, some meaningful comments and look at the possibility
of creating thread-specific GMainLoopSource objects that wouldn't
require the use of GMutex.

GSource, GCancellable and std::function<> objects are now packed
into an internal Context structure. Using the C++11 move semantics
it's simple to, at the time of dispatch, move the current context
out of the GMainLoopSource object in case the dispatch causes a
rescheduling on that same object.

All the schedule*() methods and the cancelInternal() method callers
now lock the GMutex to ensure no one else is accessing the data at
that moment. Similar goes for the dispatch methods, but those do
the dispatch and possible destruction duties with the mutex unlocked.
The dispatch can cause rescheduling on the same GMainLoopSource object,
which must not be done with a locked mutex.

• wtf/gobject/GMainLoopSource.cpp:

(WTF::GMainLoopSource::GMainLoopSource):
(WTF::GMainLoopSource::~GMainLoopSource):
(WTF::GMainLoopSource::cancel):
(WTF::GMainLoopSource::cancelInternal):
(WTF::GMainLoopSource::scheduleIdleSource):
(WTF::GMainLoopSource::schedule):
(WTF::GMainLoopSource::scheduleTimeoutSource):
(WTF::GMainLoopSource::scheduleAfterDelay):
(WTF::GMainLoopSource::voidCallback):
(WTF::GMainLoopSource::boolCallback):
(WTF::GMainLoopSource::socketCallback):
(WTF::GMainLoopSource::destroy):
(WTF::GMainLoopSource::reset): Deleted.

• wtf/gobject/GMainLoopSource.h:

Tools:

Add a unit test for GMainLoopSource that tests different
types of rescheduling tasks on already-active sources.

• TestWebKitAPI/PlatformGTK.cmake:
• TestWebKitAPI/Tests/WTF/gobject/GMainLoopSource.cpp: Added.

(GMainLoopSourceTest::GMainLoopSourceTest):
(GMainLoopSourceTest::~GMainLoopSourceTest):
(GMainLoopSourceTest::runLoop):
(GMainLoopSourceTest::finish):
(GMainLoopSourceTest::source):
(testGMainLoopSourceBasicRescheduling):
(testGMainLoopSourceReentrantRescheduling):
(testGMainLoopSourceDifferentThreadRescheduling):
(beforeAll):
(afterAll):
(TestWebKitAPI::GMainLoopSourceTest::GMainLoopSourceTest):
(TestWebKitAPI::GMainLoopSourceTest::~GMainLoopSourceTest):
(TestWebKitAPI::GMainLoopSourceTest::runLoop):
(TestWebKitAPI::GMainLoopSourceTest::finish):
(TestWebKitAPI::GMainLoopSourceTest::source):
(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/gobject/GMainLoopSource.cpp (modified) (14 diffs)
• Source/WTF/wtf/gobject/GMainLoopSource.h (modified) (4 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/PlatformGTK.cmake (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WTF/gobject/GMainLoopSource.cpp (added)

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2014-09-03  Zan Dobersek  <zdobersek@igalia.com>
+
+        GMainLoopSource is exposed to race conditions
+        https://bugs.webkit.org/show_bug.cgi?id=135800
+
+        Reviewed by Carlos Garcia Campos.
+
+        GMainLoopSource objects can be dispatching tasks on one thread
+        while having a new task scheduled on a different thread. This
+        can for instance occur in WebKitVideoSink, where the timeout
+        callback can be called on main thread while at the same time
+        it is being rescheduled on a different thread (created through
+        GStreamer).
+
+        The initial solution is to use GMutex to prevent parallel data
+        access from different threads. In the future I plan to add better
+        assertions, some meaningful comments and look at the possibility
+        of creating thread-specific GMainLoopSource objects that wouldn't
+        require the use of GMutex.
+
+        GSource, GCancellable and std::function<> objects are now packed
+        into an internal Context structure. Using the C++11 move semantics
+        it's simple to, at the time of dispatch, move the current context
+        out of the GMainLoopSource object in case the dispatch causes a
+        rescheduling on that same object.
+
+        All the schedule*() methods and the cancelInternal() method callers
+        now lock the GMutex to ensure no one else is accessing the data at
+        that moment. Similar goes for the dispatch methods, but those do
+        the dispatch and possible destruction duties with the mutex unlocked.
+        The dispatch can cause rescheduling on the same GMainLoopSource object,
+        which must not be done with a locked mutex.
+
+        * wtf/gobject/GMainLoopSource.cpp:
+        (WTF::GMainLoopSource::GMainLoopSource):
+        (WTF::GMainLoopSource::~GMainLoopSource):
+        (WTF::GMainLoopSource::cancel):
+        (WTF::GMainLoopSource::cancelInternal):
+        (WTF::GMainLoopSource::scheduleIdleSource):
+        (WTF::GMainLoopSource::schedule):
+        (WTF::GMainLoopSource::scheduleTimeoutSource):
+        (WTF::GMainLoopSource::scheduleAfterDelay):
+        (WTF::GMainLoopSource::voidCallback):
+        (WTF::GMainLoopSource::boolCallback):
+        (WTF::GMainLoopSource::socketCallback):
+        (WTF::GMainLoopSource::destroy):
+        (WTF::GMainLoopSource::reset): Deleted.
+        * wtf/gobject/GMainLoopSource.h:
+
 2014-09-02  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WTF/wtf/gobject/GMainLoopSource.cpp

@@ -29 +29 @@
 
 #include "GMainLoopSource.h"
-
 #include <gio/gio.h>
+#include <wtf/gobject/GMutexLocker.h>
 
 namespace WTF {
@@ -43 +43 @@
     , m_status(Ready)
 {
+    g_mutex_init(&m_mutex);
 }
 
@@ -49 +50 @@
     , m_status(Ready)
 {
+    g_mutex_init(&m_mutex);
 }
 
@@ -54 +56 @@
 {
     cancel();
+    g_mutex_clear(&m_mutex);
 }
 
@@ -68 +71 @@
 void GMainLoopSource::cancel()
 {
-    if (!m_source)
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
+}
+
+void GMainLoopSource::cancelWithoutLocking()
+{
+    if (!m_context.source) {
+        m_status = Ready;
         return;
-
-    GRefPtr<GSource> source;
-    m_source.swap(source);
-
-    if (m_cancellable)
-        g_cancellable_cancel(m_cancellable.get());
-    g_source_destroy(source.get());
-    destroy();
-}
-
-void GMainLoopSource::reset()
-{
-    m_status = Ready;
-    m_source = nullptr;
-    m_cancellable = nullptr;
-    m_voidCallback = nullptr;
-    m_boolCallback = nullptr;
-    m_destroyCallback = nullptr;
+    }
+
+    Context context = WTF::move(m_context);
+
+    if (context.cancellable)
+        g_cancellable_cancel(context.cancellable.get());
+
+    g_source_destroy(context.source.get());
+    destroy(context.destroyCallback);
 }
 
@@ -95 +96 @@
     m_status = Scheduled;
 
-    m_source = adoptGRef(g_idle_source_new());
-    g_source_set_name(m_source.get(), name);
+    m_context.source = adoptGRef(g_idle_source_new());
+    g_source_set_name(m_context.source.get(), name);
     if (priority != G_PRIORITY_DEFAULT_IDLE)
-        g_source_set_priority(m_source.get(), priority);
-    g_source_set_callback(m_source.get(), sourceFunction, this, nullptr);
-    g_source_attach(m_source.get(), context);
+        g_source_set_priority(m_context.source.get(), priority);
+    g_source_set_callback(m_context.source.get(), sourceFunction, this, nullptr);
+    g_source_attach(m_context.source.get(), context);
 }
 
 void GMainLoopSource::schedule(const char* name, std::function<void ()> function, int priority, std::function<void ()> destroyFunction, GMainContext* context)
 {
-    cancel();
-    m_voidCallback = WTF::move(function);
-    m_destroyCallback = WTF::move(destroyFunction);
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
+    m_context.voidCallback = WTF::move(function);
+    m_context.destroyCallback = WTF::move(destroyFunction);
     scheduleIdleSource(name, reinterpret_cast<GSourceFunc>(voidSourceCallback), priority, context);
 }
@@ -113 +115 @@
 void GMainLoopSource::schedule(const char* name, std::function<bool ()> function, int priority, std::function<void ()> destroyFunction, GMainContext* context)
 {
-    cancel();
-    m_boolCallback = WTF::move(function);
-    m_destroyCallback = WTF::move(destroyFunction);
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
+    m_context.boolCallback = WTF::move(function);
+    m_context.destroyCallback = WTF::move(destroyFunction);
     scheduleIdleSource(name, reinterpret_cast<GSourceFunc>(boolSourceCallback), priority, context);
 }
@@ -121 +124 @@
 void GMainLoopSource::schedule(const char* name, std::function<bool (GIOCondition)> function, GSocket* socket, GIOCondition condition, std::function<void ()> destroyFunction, GMainContext* context)
 {
-    cancel();
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
     ASSERT(m_status == Ready);
     m_status = Scheduled;
 
-    m_socketCallback = WTF::move(function);
-    m_destroyCallback = WTF::move(destroyFunction);
-    m_cancellable = adoptGRef(g_cancellable_new());
-    m_source = adoptGRef(g_socket_create_source(socket, condition, m_cancellable.get()));
-    g_source_set_name(m_source.get(), name);
-    g_source_set_callback(m_source.get(), reinterpret_cast<GSourceFunc>(socketSourceCallback), this, nullptr);
-    g_source_attach(m_source.get(), context);
+    m_context.socketCallback = WTF::move(function);
+    m_context.destroyCallback = WTF::move(destroyFunction);
+    m_context.cancellable = adoptGRef(g_cancellable_new());
+    m_context.source = adoptGRef(g_socket_create_source(socket, condition, m_context.cancellable.get()));
+    g_source_set_name(m_context.source.get(), name);
+    g_source_set_callback(m_context.source.get(), reinterpret_cast<GSourceFunc>(socketSourceCallback), this, nullptr);
+    g_source_attach(m_context.source.get(), context);
 }
 
@@ -139 +143 @@
     m_status = Scheduled;
 
-    ASSERT(m_source);
-    g_source_set_name(m_source.get(), name);
+    ASSERT(m_context.source);
+    g_source_set_name(m_context.source.get(), name);
     if (priority != G_PRIORITY_DEFAULT)
-        g_source_set_priority(m_source.get(), priority);
-    g_source_set_callback(m_source.get(), sourceFunction, this, nullptr);
-    g_source_attach(m_source.get(), context);
+        g_source_set_priority(m_context.source.get(), priority);
+    g_source_set_callback(m_context.source.get(), sourceFunction, this, nullptr);
+    g_source_attach(m_context.source.get(), context);
 }
 
 void GMainLoopSource::scheduleAfterDelay(const char* name, std::function<void ()> function, std::chrono::milliseconds delay, int priority, std::function<void ()> destroyFunction, GMainContext* context)
 {
-    cancel();
-    m_source = adoptGRef(g_timeout_source_new(delay.count()));
-    m_voidCallback = WTF::move(function);
-    m_destroyCallback = WTF::move(destroyFunction);
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
+    m_context.source = adoptGRef(g_timeout_source_new(delay.count()));
+    m_context.voidCallback = WTF::move(function);
+    m_context.destroyCallback = WTF::move(destroyFunction);
     scheduleTimeoutSource(name, reinterpret_cast<GSourceFunc>(voidSourceCallback), priority, context);
 }
@@ -158 +163 @@
 void GMainLoopSource::scheduleAfterDelay(const char* name, std::function<bool ()> function, std::chrono::milliseconds delay, int priority, std::function<void ()> destroyFunction, GMainContext* context)
 {
-    cancel();
-    m_source = adoptGRef(g_timeout_source_new(delay.count()));
-    m_boolCallback = WTF::move(function);
-    m_destroyCallback = WTF::move(destroyFunction);
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
+    m_context.source = adoptGRef(g_timeout_source_new(delay.count()));
+    m_context.boolCallback = WTF::move(function);
+    m_context.destroyCallback = WTF::move(destroyFunction);
     scheduleTimeoutSource(name, reinterpret_cast<GSourceFunc>(boolSourceCallback), priority, context);
 }
@@ -167 +173 @@
 void GMainLoopSource::scheduleAfterDelay(const char* name, std::function<void ()> function, std::chrono::seconds delay, int priority, std::function<void ()> destroyFunction, GMainContext* context)
 {
-    cancel();
-    m_source = adoptGRef(g_timeout_source_new_seconds(delay.count()));
-    m_voidCallback = WTF::move(function);
-    m_destroyCallback = WTF::move(destroyFunction);
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
+    m_context.source = adoptGRef(g_timeout_source_new_seconds(delay.count()));
+    m_context.voidCallback = WTF::move(function);
+    m_context.destroyCallback = WTF::move(destroyFunction);
     scheduleTimeoutSource(name, reinterpret_cast<GSourceFunc>(voidSourceCallback), priority, context);
 }
@@ -176 +183 @@
 void GMainLoopSource::scheduleAfterDelay(const char* name, std::function<bool ()> function, std::chrono::seconds delay, int priority, std::function<void ()> destroyFunction, GMainContext* context)
 {
-    cancel();
-    m_source = adoptGRef(g_timeout_source_new_seconds(delay.count()));
-    m_boolCallback = WTF::move(function);
-    m_destroyCallback = WTF::move(destroyFunction);
+    GMutexLocker locker(m_mutex);
+    cancelWithoutLocking();
+    m_context.source = adoptGRef(g_timeout_source_new_seconds(delay.count()));
+    m_context.boolCallback = WTF::move(function);
+    m_context.destroyCallback = WTF::move(destroyFunction);
     scheduleTimeoutSource(name, reinterpret_cast<GSourceFunc>(boolSourceCallback), priority, context);
 }
@@ -185 +193 @@
 void GMainLoopSource::voidCallback()
 {
-    if (!m_source)
-        return;
-
-    ASSERT(m_voidCallback);
-    ASSERT(m_status == Scheduled);
-    m_status = Dispatched;
-
-    GSource* source = m_source.get();
-    m_voidCallback();
-    if (source == m_source.get())
-        destroy();
+    Context context;
+
+    {
+        GMutexLocker locker(m_mutex);
+        if (!m_context.source)
+            return;
+
+        context = WTF::move(m_context);
+
+        ASSERT(context.voidCallback);
+        ASSERT(m_status == Scheduled);
+        m_status = Dispatched;
+    }
+
+    context.voidCallback();
+
+    bool shouldDestroy = false;
+    {
+        GMutexLocker locker(m_mutex);
+        shouldDestroy = !m_context.source;
+    }
+
+    if (shouldDestroy)
+        destroy(context.destroyCallback);
 }
 
 bool GMainLoopSource::boolCallback()
 {
-    if (!m_source)
-        return false;
-
-    ASSERT(m_boolCallback);
-    ASSERT(m_status == Scheduled || m_status == Dispatched);
-    m_status = Dispatched;
-
-    GSource* source = m_source.get();
-    bool retval = m_boolCallback();
-    if (!retval && source == m_source.get())
-        destroy();
-
+    Context context;
+
+    {
+        GMutexLocker locker(m_mutex);
+        if (!m_context.source)
+            return Stop;
+
+        context = WTF::move(m_context);
+
+        ASSERT(context.boolCallback);
+        ASSERT(m_status == Scheduled || m_status == Dispatched);
+        m_status = Dispatched;
+    }
+
+    bool retval = context.boolCallback();
+
+    bool shouldDestroy = false;
+    {
+        GMutexLocker locker(m_mutex);
+        if (retval && !m_context.source)
+            m_context = WTF::move(context);
+        else
+            shouldDestroy = !m_context.source;
+    }
+
+    if (shouldDestroy)
+        destroy(context.destroyCallback);
     return retval;
 }
@@ -217 +253 @@
 bool GMainLoopSource::socketCallback(GIOCondition condition)
 {
-    if (!m_source)
-        return false;
-
-    ASSERT(m_socketCallback);
-    ASSERT(m_status == Scheduled || m_status == Dispatched);
-    m_status = Dispatched;
-
-    if (g_cancellable_is_cancelled(m_cancellable.get())) {
-        destroy();
-        return false;
-    }
-
-    GSource* source = m_source.get();
-    bool retval = m_socketCallback(condition);
-    if (!retval && source == m_source.get())
-        destroy();
-
+    Context context;
+
+    {
+        GMutexLocker locker(m_mutex);
+        if (!m_context.source)
+            return Stop;
+
+        context = WTF::move(m_context);
+
+        ASSERT(context.socketCallback);
+        ASSERT(m_status == Scheduled || m_status == Dispatched);
+        m_status = Dispatched;
+    }
+
+    if (g_cancellable_is_cancelled(context.cancellable.get())) {
+        destroy(context.destroyCallback);
+        return Stop;
+    }
+
+    bool retval = context.socketCallback(condition);
+
+    bool shouldDestroy = false;
+    {
+        GMutexLocker locker(m_mutex);
+        if (retval && !m_context.source)
+            m_context = WTF::move(context);
+        else
+            shouldDestroy = !m_context.source;
+    }
+
+    if (shouldDestroy)
+        destroy(context.destroyCallback);
     return retval;
 }
 
-void GMainLoopSource::destroy()
-{
-    auto destroyCallback = WTF::move(m_destroyCallback);
-    auto deleteOnDestroy = m_deleteOnDestroy;
-    reset();
+void GMainLoopSource::destroy(const std::function<void ()>& destroyCallback)
+{
+    // Nothing should be scheduled on this object at this point.
+    ASSERT(!m_context.source);
+    m_status = Ready;
+    DeleteOnDestroyType deleteOnDestroy = m_deleteOnDestroy;
+
     if (destroyCallback)
         destroyCallback();

trunk/Source/WTF/wtf/gobject/GMainLoopSource.h

@@ -33 +33 @@
 
 typedef struct _GSocket GSocket;
+typedef union _GMutex GMutex;
 
 namespace WTF {
@@ -66 +67 @@
     enum Status { Ready, Scheduled, Dispatched };
 
-    void reset();
+    void cancelWithoutLocking();
     void scheduleIdleSource(const char* name, GSourceFunc, int priority, GMainContext*);
     void scheduleTimeoutSource(const char* name, GSourceFunc, int priority, GMainContext*);
@@ -72 +73 @@
     bool boolCallback();
     bool socketCallback(GIOCondition);
-    void destroy();
+    void destroy(const std::function<void ()>&);
 
     static gboolean voidSourceCallback(GMainLoopSource*);
@@ -80 +81 @@
     DeleteOnDestroyType m_deleteOnDestroy;
     Status m_status;
-    GRefPtr<GSource> m_source;
-    GRefPtr<GCancellable> m_cancellable;
-    std::function<void ()> m_voidCallback;
-    std::function<bool ()> m_boolCallback;
-    std::function<bool (GIOCondition)> m_socketCallback;
-    std::function<void ()> m_destroyCallback;
+    GMutex m_mutex;
+
+    struct Context {
+        Context() = default;
+        Context(Context&&) = default;
+        Context& operator=(Context&&) = default;
+
+        GRefPtr<GSource> source;
+        GRefPtr<GCancellable> cancellable;
+        std::function<void ()> voidCallback;
+        std::function<bool ()> boolCallback;
+        std::function<bool (GIOCondition)> socketCallback;
+        std::function<void ()> destroyCallback;
+    } m_context;
 };
 

trunk/Tools/ChangeLog

@@ +1 @@
+2014-09-03  Zan Dobersek  <zdobersek@igalia.com>
+
+        GMainLoopSource is exposed to race conditions
+        https://bugs.webkit.org/show_bug.cgi?id=135800
+
+        Reviewed by Carlos Garcia Campos.
+
+        Add a unit test for GMainLoopSource that tests different
+        types of rescheduling tasks on already-active sources.
+
+        * TestWebKitAPI/PlatformGTK.cmake:
+        * TestWebKitAPI/Tests/WTF/gobject/GMainLoopSource.cpp: Added.
+        (GMainLoopSourceTest::GMainLoopSourceTest):
+        (GMainLoopSourceTest::~GMainLoopSourceTest):
+        (GMainLoopSourceTest::runLoop):
+        (GMainLoopSourceTest::finish):
+        (GMainLoopSourceTest::source):
+        (testGMainLoopSourceBasicRescheduling):
+        (testGMainLoopSourceReentrantRescheduling):
+        (testGMainLoopSourceDifferentThreadRescheduling):
+        (beforeAll):
+        (afterAll):
+        (TestWebKitAPI::GMainLoopSourceTest::GMainLoopSourceTest):
+        (TestWebKitAPI::GMainLoopSourceTest::~GMainLoopSourceTest):
+        (TestWebKitAPI::GMainLoopSourceTest::runLoop):
+        (TestWebKitAPI::GMainLoopSourceTest::finish):
+        (TestWebKitAPI::GMainLoopSourceTest::source):
+        (TestWebKitAPI::TEST):
+
 2014-09-02  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Tools/TestWebKitAPI/PlatformGTK.cmake

@@ -137 +137 @@
 
 list(APPEND TestWTF_SOURCES
+    ${TESTWEBKITAPI_DIR}/Tests/WTF/gobject/GMainLoopSource.cpp
     ${TESTWEBKITAPI_DIR}/Tests/WTF/gobject/GUniquePtr.cpp
 )