Google Git
Sign in
chromium / chromium / src.git / 31391ba33a8da1d9618fbfdb42aaa911cb986cf3^! / . / net / dns / serial_worker.cc
commit31391ba33a8da1d9618fbfdb42aaa911cb986cf3[log] [tgz]
authorRobbie McElrath <[email protected]>Thu Nov 15 02:04:50 2018
committerCommit Bot <[email protected]>Thu Nov 15 02:04:50 2018
treef6464831ca1421d4c81fd7afc2ed9786512ed917
parent342d16b408d9af840c61aeca5e32e9422e314e17 [diff] [blame]
Fix race condition in net::SerialWorker.

net::SerialWorker is a RefCountedThreadSafe object that also uses
WeakPtrFactory to create WeakPtrs of itself. To run whatever work it's
supposed to run, it PostTaskWithTraitsAndReply's to another sequence to
do the work there, and then gets called back when the work is complete.
The work callback holds a (refcounted) reference to the SerialWorker,
and the reply callback is bound to a WeakPtr to ensure the SerialWorker
will still be deleted if posting the reply fails. WeakPtr enforces that
all dereferences to it, as well as its invalidation, must happen on the
same sequence to avoid races. When the reply callback is being called,
it dereferences the SerialWorker WeakPtr on the original sequence,
which binds that WeakPtr to that sequence. It's possible for the
SerialWorker’s owner to release it after the WeakPtr has been checked,
but before the worker function has returned, in which case the worker
function will have the last reference to the SerialWorker. In that case,
when the worker function finally does return, it will delete the
SerialWorker, which will delete its WeakPtrFactory, which will
invalidate existing WeakPtrs. However, the WeakPtr was previously
dereferenced on the SerialWorker sequence, and now it’s being
invalidated on the worker sequence, which is invalid.

To fix this, this CL makes SerialWorker a RefCountedDeleteOnSequence to
ensure the deletion always happens in the right sequence.

Bug: 882610
Change-Id: If738d3724384ffd5ac210130415bce7262932feb
Reviewed-on: https://chromium-review.googlesource.com/c/1336066
Commit-Queue: Robbie McElrath <[email protected]>
Reviewed-by: Eric Roman <[email protected]>
Reviewed-by: Eric Orth <[email protected]>
Cr-Commit-Position: refs/heads/master@{#608223}
diff --git a/net/dns/serial_worker.cc b/net/dns/serial_worker.cc
index 815c0d8..520bd3a 100644
--- a/net/dns/serial_worker.cc
+++ b/net/dns/serial_worker.cc

@@ -7,11 +7,16 @@
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/task/post_task.h"
+#include "base/threading/sequenced_task_runner_handle.h"
 #include "base/threading/thread_task_runner_handle.h"
 
 namespace net {
 
-SerialWorker::SerialWorker() : state_(IDLE), weak_factory_(this) {}
+SerialWorker::SerialWorker()
+    : base::RefCountedDeleteOnSequence<SerialWorker>(
+          base::SequencedTaskRunnerHandle::Get()),
+      state_(IDLE),
+      weak_factory_(this) {}
 
 SerialWorker::~SerialWorker() = default;