Bug 57382

Summary: [chromium] UnlockNonLocked condition reached in WorkerFileSystemsCallbackBridge::mayPostTaskToWorker
Product: WebKit Reporter: cbentzel
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, commit-queue, dimich, kinuko, levin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

cbentzel
Reported 2011-03-29 13:29:12 PDT
Chromium Linux ThreadSanitizer bots started triggering this during a WebKit roll from 81970 to 82211. I've added a valgrind suppression for it, but the core issue should be fixed. See also http://crbug.com/77792
Attachments
Patch (2.23 KB, patch)
2011-03-29 23:16 PDT, David Levin 		no flags
DetailsFormatted DiffDiff
Patch (7.33 KB, patch)
2011-03-30 16:18 PDT, David Levin 		no flags
DetailsFormatted DiffDiff
Patch (7.21 KB, patch)
2011-03-30 17:02 PDT, David Levin 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Kinuko Yasuda
Comment 1 2011-03-29 18:38:18 PDT
Hmm, not sure how I could unlock an non-locked lock using a scoped locker? I'll look into it...
Adam Barth
Comment 2 2011-03-29 18:52:04 PDT
Memory corruption?
David Levin
Comment 3 2011-03-29 23:16:56 PDT
Created attachment 87468 [details] Patch
David Levin
Comment 4 2011-03-29 23:18:29 PDT
This got introduced recently when a race was being fixed for a ref counted object but in turn the ref counting basically got moved inside of the mutex lock which led to this issue.
Adam Barth
Comment 5 2011-03-29 23:25:48 PDT
Comment on attachment 87468 [details] Patch This patch is blowing my mind.
Kinuko Yasuda
Comment 6 2011-03-29 23:32:24 PDT
I have re-read the comment and it makes sense to me. (At least now I'm sure that the previous code could cause a memory corruption.) Thanks for looking into this one.
Dmitry Titov
Comment 7 2011-03-30 00:25:48 PDT
Comment on attachment 87468 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=87468&action=review > Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp:366 > + // Take the lock to ensure that it has been released on the other thread. Does it actually mean "Take the lock to wait until the other thread releases it"? If so, what ensures that the other thread grabbed the lock by that time? I'm not sure I really understand what you are doing here though :-)
David Levin
Comment 8 2011-03-30 11:53:17 PDT
Comment on attachment 87468 [details] Patch Ok, this was just a quick fix and no one understands it. I'm looking at this class and trying to solve this issue and the one that caused it. I think I can simplify a few things in it.
David Levin
Comment 9 2011-03-30 16:18:48 PDT
Created attachment 87636 [details] Patch
Kinuko Yasuda
Comment 10 2011-03-30 16:53:55 PDT
Comment on attachment 87636 [details] Patch This change looks good to me now. I wanted to get rid of m_selfRef but wasn't able to think of a solution. Thanks very much! View in context: https://bugs.webkit.org/attachment.cgi?id=87636&action=review > Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp:345 > + if (!bridge->m_worker) // Since this check is just an optimization, it doesn't matter that the usage isn't threadsafe. I think we can just remove these lines? (I'm afraid tsan will warn on this check.)
David Levin
Comment 11 2011-03-30 17:02:31 PDT
Created attachment 87638 [details] Patch
Dmitry Titov
Comment 12 2011-03-30 17:09:19 PDT
Comment on attachment 87638 [details] Patch r=me
WebKit Commit Bot
Comment 13 2011-03-30 20:25:20 PDT
Comment on attachment 87638 [details] Patch Clearing flags on attachment: 87638 Committed r82540: <http://trac.webkit.org/changeset/82540>
WebKit Commit Bot
Comment 14 2011-03-30 20:25:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.