commit 0b0e7480d9fd3816cbee891bf1618bc02b112cb4
author amistry <amistry@chromium.org> Wed Sep 02 18:04:22 2015
committer Commit bot <commit-bot@chromium.org> Wed Sep 02 18:05:40 2015
tree 340e6c6a5cfaeb0951737f49dbf035b3884c5044
parent 52c41cb25a551989d516abd79f0134d70a17b8d0

Fix races with MessagePipeReader due to the Mojo IPC channel being thread-safe.

This change does three things:
1. Checks the threading of MessagePipeReader using a ThreadChecker.
2. Eliminates races on |pending_send_error_| by using atomic ops.
3. Documents and removes checks which are no longer valid because Send()
   can be called on a non-IO thread.

BUG=522888,492867
TESTED=Enabled Mojo IPC channel and ran StatsTableBrowserTest.StartWithStatTable
       with tsan 100 times.
       Before: IPC-related races and DCHECK failures
       After: No IPC-related races and DCHECK failures.

Review URL: https://codereview.chromium.org/1318453002

Cr-Commit-Position: refs/heads/master@{#346967}

ipc/mojo/ipc_message_pipe_reader.h

diff --git a/ipc/mojo/ipc_message_pipe_reader.h b/ipc/mojo/ipc_message_pipe_reader.h
index 937930ee..b9c11c6 100644
--- a/ipc/mojo/ipc_message_pipe_reader.h
+++ b/ipc/mojo/ipc_message_pipe_reader.h
@@ -7,8 +7,10 @@
 
 #include <vector>
 
+#include "base/atomicops.h"
 #include "base/compiler_specific.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/threading/thread_checker.h"
 #include "ipc/ipc_message.h"
 #include "third_party/mojo/src/mojo/public/c/environment/async_waiter.h"
 #include "third_party/mojo/src/mojo/public/cpp/system/core.h"
@@ -30,7 +32,9 @@
 //  * Create the subclass instance with a MessagePipeHandle.
 //    The constructor automatically start listening on the pipe.
 //
-// MessageReader has to be used in IO thread. It isn't thread-safe.
+// All functions must be called on the IO thread, except for Send(), which can
+// be called on any thread. All |Delegate| functions will be called on the IO
+// thread.
 //
 class MessagePipeReader {
  public:
@@ -62,7 +66,7 @@
   MessagePipeReader(mojo::ScopedMessagePipeHandle handle, Delegate* delegate);
   virtual ~MessagePipeReader();
 
-  MojoHandle handle() const { return pipe_.get().value(); }
+  MojoHandle handle() const { return handle_copy_; }
 
   // Returns received bytes.
   const std::vector<char>& data_buffer() const {
@@ -100,10 +104,18 @@
   std::vector<char>  data_buffer_;
   std::vector<MojoHandle> handle_buffer_;
   mojo::ScopedMessagePipeHandle pipe_;
+  // Constant copy of the message pipe handle. For use by Send(), which can run
+  // concurrently on non-IO threads.
+  // TODO(amistry): This isn't quite right because handles can be re-used and
+  // using this can run into the ABA problem. Currently, this is highly unlikely
+  // because Mojo internally uses an increasing uint32_t as handle values, but
+  // this could change. See crbug.com/524894.
+  const MojoHandle handle_copy_;
   // |delegate_| and |async_waiter_| are null once the message pipe is closed.
   Delegate* delegate_;
   scoped_ptr<AsyncHandleWaiter> async_waiter_;
-  MojoResult pending_send_error_;
+  base::subtle::Atomic32 pending_send_error_;
+  base::ThreadChecker thread_checker_;
 
   DISALLOW_COPY_AND_ASSIGN(MessagePipeReader);
 };