Context Navigation

← Previous Changeset
Next Changeset →

Changeset 225985 in webkit

Timestamp:

Dec 15, 2017 1:32:07 PM (6 years ago)

Author:

rniwa@webkit.org

Message:

Add a release assert that Timer::m_wasDeleted is false in setNextFireTime
https://bugs.webkit.org/show_bug.cgi?id=180860
<rdar://problem/36066500>

Reviewed by David Kilzer.

Turn an exist debug-only assertion into a release assertion to help diagnose a crash
which appears to be caused by a freed timer getting scheduled back into the timer heap.

platform/Timer.cpp:

(WebCore::TimerBase::~TimerBase):
(WebCore::TimerBase::setNextFireTime):

platform/Timer.h:

Location:

trunk/Source/WebCore

Files:

: 3 edited

ChangeLog (modified) (1 diff)
platform/Timer.cpp (modified) (2 diffs)
platform/Timer.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebCore/ChangeLog

-                      r225983
+                      r225985
+-12-15  Ryosuke Niwa  <rniwa@webkit.org>
+        Add a release assert that Timer::m_wasDeleted is false in setNextFireTime
+        https://bugs.webkit.org/show_bug.cgi?id=180860
+        <rdar://problem/36066500>
+        Reviewed by David Kilzer.
+        Turn an exist debug-only assertion into a release assertion to help diagnose a crash
+        which appears to be caused by a freed timer getting scheduled back into the timer heap.
+        * platform/Timer.cpp:
+        (WebCore::TimerBase::~TimerBase):
+        (WebCore::TimerBase::setNextFireTime):
+        * platform/Timer.h:
 -12-15  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/platform/Timer.cpp

-                      r225470
+                      r225985
     stop();
     ASSERT(!inHeap());
-#ifndef NDEBUG
     m_wasDeleted = true;
-#endif
+}
 …
+{
     ASSERT(canAccessThreadLocalDataForThread(m_thread.get()));
     ASSERT(!m_wasDeleted);
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!m_wasDeleted);
     if (m_unalignedNextFireTime != newTime)

trunk/Source/WebCore/platform/Timer.h

-                      r225470
+                      r225985
     int m_heapIndex { -1 }; // -1 if not in heap
     unsigned m_heapInsertionOrder; // Used to keep order among equal-fire-time timers
+    bool m_wasDeleted { false };
     Vector<TimerBase*>* m_cachedThreadGlobalTimerHeap { nullptr };
 #ifndef NDEBUG
     Ref<Thread> m_thread { Thread::current() };
-    bool m_wasDeleted { false };
 #endif

Note: See TracChangeset for help on using the changeset viewer.