Context Navigation

Changeset 214786 in webkit

Timestamp:

Apr 3, 2017 6:08:46 AM (7 years ago)

Author:

Antti Koivisto

Message:

Mutex may be freed too late in NetworkCache::Storage::traverse
https://bugs.webkit.org/show_bug.cgi?id=170400
<rdar://problem/30515865>

Reviewed by Carlos Garcia Campos and Andreas Kling.

Fix a race.

(WebKit::NetworkCache::Storage::traverse):

Ensure the mutex is not accessed after we dispatch to the main thread.
The main thread call deletes the owning TraverseOperation.

Location:

trunk/Source/WebKit2

Files:

-                      r214723
+                      r214786
+-04-03  Antti Koivisto  <antti@apple.com>
+        Mutex may be freed too late in NetworkCache::Storage::traverse
+        https://bugs.webkit.org/show_bug.cgi?id=170400
+        <rdar://problem/30515865>
+        Reviewed by Carlos Garcia Campos and Andreas Kling.
+        Fix a race.
+        * NetworkProcess/cache/NetworkCacheStorage.cpp:
+        (WebKit::NetworkCache::Storage::traverse):
+            Ensure the mutex is not accessed after we dispatch to the main thread.
+            The main thread call deletes the owning TraverseOperation.
 -04-01  Dan Bernstein  <mitz@apple.com>

-                      r214101
+                      r214786
             });
         });
+        // Wait for all reads to finish.
+        std::unique_lock<Lock> lock(traverseOperation.activeMutex);
+        traverseOperation.activeCondition.wait(lock, [&traverseOperation] {
+            return !traverseOperation.activeCount;
+        });
+        {
+            // Wait for all reads to finish.
+            std::unique_lock<Lock> lock(traverseOperation.activeMutex);
+            traverseOperation.activeCondition.wait(lock, [&traverseOperation] {
+                return !traverseOperation.activeCount;
+            });
+        }
         RunLoop::main().dispatch([this, &traverseOperation] {
             traverseOperation.handler(nullptr, { });

Note: See TracChangeset for help on using the changeset viewer.