RESOLVED FIXED 56138
Data race between ~WorkerFileSystemCallbacksBridge and runTasksOnWorkerThread 
https://bugs.webkit.org/show_bug.cgi?id=56138
Summary Data race between ~WorkerFileSystemCallbacksBridge and runTasksOnWorkerThread
Adam Klein
Reported 2011-03-10 13:08:21 PST
Retain a reference to the WorkerFileSystemCallbacksBridge in runTaskOnWorkerThread to avoid a race condition
Attachments
Patch (2.23 KB, patch)
2011-03-10 13:10 PST, Adam Klein 		no flags
DetailsFormatted DiffDiff
Patch (4.08 KB, patch)
2011-03-25 00:10 PDT, Kinuko Yasuda 		no flags
DetailsFormatted DiffDiff
Patch (4.36 KB, patch)
2011-03-25 15:23 PDT, Kinuko Yasuda 		levin: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Adam Klein
Comment 1 2011-03-10 13:10:08 PST
Created attachment 85382 [details] Patch
David Levin
Comment 2 2011-03-10 13:20:41 PST
Comment on attachment 85382 [details] Patch I don't understand how this changes a thing. The previous passed in variable bridge would have help the ref count. Also prpBridge looks like hungarian naming which is simply not used in WebKit.
Adam Klein
Comment 3 2011-03-10 13:22:41 PST
Working with Kinuko offline to get to the root of the issue, you're right that this doesn't solve the problem. As for the naming, though, this style is recommended by http://www.webkit.org/coding/RefPtr.html and used frequently in WebKit (as a quick codesearch shows).
David Levin
Comment 4 2011-03-10 13:24:22 PST
(In reply to comment #3) > As for the naming, though, this style is recommended by http://www.webkit.org/coding/RefPtr.html and used frequently in WebKit (as a quick codesearch shows). Good point!
Adam Klein
Comment 5 2011-03-10 13:33:20 PST
Retitling to better capture the actual problem. Here's the TSAN trace: WARNING: Possible data race during read of size 4 at 0xB16D3C4: {{{ T0 (L{}): #0 WebCore::WorkerContext::Observer::~Observer() third_party/WebKit/Source/WebCore/workers/WorkerContext.cpp:393 #1 WebKit::WorkerFileSystemCallbacksBridge::~WorkerFileSystemCallbacksBridge() third_party/WebKit/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp:311 #2 WTF::ThreadSafeShared<WebKit::WorkerFileSystemCallbacksBridge>::deref() third_party/WebKit/Source/JavaScriptCore/wtf/ThreadSafeShared.h:135 #3 WebKit::MainThreadFileSystemCallbacks::~MainThreadFileSystemCallbacks() third_party/WebKit/Source/JavaScriptCore/wtf/PassRefPtr.h:59 #4 WebKit::MainThreadFileSystemCallbacks::didReadMetadata(WebKit::WebFileInfo const&) third_party/WebKit/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp:119 #5 WebFileSystemCallbackDispatcher::DidReadMetadata(base::PlatformFileInfo const&) content/common/file_system/webfilesystem_callback_dispatcher.cc:44 #6 FileSystemDispatcher::OnDidReadMetadata(int, base::PlatformFileInfo const&) content/common/file_system/file_system_dispatcher.cc:242 ... Concurrent write(s) happened at (OR AFTER) these points: T2 (L{}): #0 WebCore::WorkerContext::Observer::stopObserving() third_party/WebKit/Source/WebCore/workers/WorkerContext.cpp:405 #1 WebKit::WorkerFileSystemCallbacksBridge::runTaskOnWorkerThread(WebCore::ScriptExecutionContext*, WTF::PassRefPtr<WebKit::WorkerFileSystemCallbacksBridge>, WTF::PassOwnPtr<WebCore::ScriptExecutionContext::Task>) third_party/WebKit/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp:368 #2 WebCore::CrossThreadTask2<WTF::PassRefPtr<WebKit::WorkerFileSystemCallbacksBridge>, WTF::PassRefPtr<WebKit::WorkerFileSystemCallbacksBridge>, WTF::PassOwnPtr<WebCore::ScriptExecutionContext::Task>, WTF::PassOwnPtr<WebCore::ScriptExecutionContext::Task> >::performTask(WebCore::ScriptExecutionContext*) third_party/WebKit/Source/WebCore/dom/CrossThreadTask.h:112 #3 WebCore::WorkerRunLoop::Task::performTask(WebCore::ScriptExecutionContext*) third_party/WebKit/Source/WebCore/workers/WorkerRunLoop.cpp:199 #4 WebCore::WorkerRunLoop::runInMode(WebCore::WorkerContext*, WebCore::ModePredicate const&) third_party/WebKit/Source/WebCore/workers/WorkerRunLoop.cpp:163 #5 WebCore::WorkerRunLoop::run(WebCore::WorkerContext*) third_party/WebKit/Source/WebCore/workers/WorkerRunLoop.cpp:134 #6 WebCore::WorkerThread::runEventLoop() third_party/WebKit/Source/WebCore/workers/WorkerThread.cpp:163 #7 WebCore::DedicatedWorkerThread::runEventLoop() third_party/WebKit/Source/WebCore/workers/DedicatedWorkerThread.cpp:66 #8 WebCore::WorkerThread::workerThread() third_party/WebKit/Source/WebCore/workers/WorkerThread.cpp:141 #9 WebCore::WorkerThread::workerThreadStart(void*) third_party/WebKit/Source/WebCore/workers/WorkerThread.cpp:118 Location 0xB16D3C4 is 4 bytes inside a block starting at 0xB16D3C0 of size 52 allocated by T2 from heap: #0 malloc /tmp/valgrind-src/tsan/tsan/ts_valgrind_intercepts.c:410 #1 WTF::fastMalloc(unsigned int) third_party/WebKit/Source/JavaScriptCore/wtf/FastMalloc.cpp:250 #2 WTF::ThreadSafeSharedBase::operator new(unsigned int) third_party/WebKit/Source/JavaScriptCore/wtf/ThreadSafeShared.h:70 #3 WebKit::WorkerFileSystemCallbacksBridge::create(WebKit::WebWorkerBase*, WebCore::ScriptExecutionContext*, WebKit::WebFileSystemCallbacks*) third_party/WebKit/Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.h:83 #4 WebCore::WorkerAsyncFileSystemChromium::createWorkerFileSystemCallbacksBridge(WTF::PassOwnPtr<WebCore::AsyncFileSystemCallbacks>) third_party/WebKit/Source/WebKit/chromium/src/WorkerAsyncFileSystemChromium.cpp:219 #5 WebCore::WorkerAsyncFileSystemChromium::readMetadata(WTF::String const&, WTF::PassOwnPtr<WebCore::AsyncFileSystemCallbacks>) third_party/WebKit/Source/WebKit/chromium/src/WorkerAsyncFileSystemChromium.cpp:112 #6 WebCore::DOMFileSystemBase::getMetadata(WebCore::EntryBase const*, WTF::PassRefPtr<WebCore::MetadataCallback>, WTF::PassRefPtr<WebCore::ErrorCallback>) third_party/WebKit/Source/WebCore/fileapi/DOMFileSystemBase.cpp:104 #7 WebCore::Entry::getMetadata(WTF::PassRefPtr<WebCore::MetadataCallback>, WTF::PassRefPtr<WebCore::ErrorCallback>) third_party/WebKit/Source/WebCore/fileapi/Entry.cpp:57 #8 WebCore::EntryInternal::getMetadataCallback(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8Entry.cpp:107 #9 v8::internal::MaybeObject* v8::internal::HandleApiCallHelper<false>(v8::internal::(anonymous namespace)::BuiltinArguments<(v8::internal::BuiltinExtraArguments)1>) v8/src/builtins.cc:1069 Race verifier data: 0x9AB7AF9,0x9AB763B }}} See http://crbug.com/75589 for details.
Kinuko Yasuda
Comment 6 2011-03-25 00:10:55 PDT
Created attachment 86901 [details] Patch
David Levin
Comment 7 2011-03-25 13:05:48 PDT
Comment on attachment 86901 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=86901&action=review Just a few things but they may change the code a bit so I'd like to see it one more time. > Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp:89 > static MainThreadFileSystemCallbacks* createLeakedPtr(PassRefPtr<WorkerFileSystemCallbacksBridge> bridge, const String& mode) This should no longer be a PassRefPtr (which implies that it keeps the ref count in some way and that is clearly not the case anymore). > Source/WebKit/chromium/src/WorkerFileSystemCallbacksBridge.cpp:385 > { // Let go of the mutex before possibly deleting this due to m_selfRef.clear(). This comment and the brace are now out of date.
Kinuko Yasuda
Comment 8 2011-03-25 15:23:34 PDT
Created attachment 86987 [details] Patch
Kinuko Yasuda
Comment 9 2011-03-25 16:01:10 PDT
Committed r81999: <http://trac.webkit.org/changeset/81999>
Note You need to log in before you can comment on or make changes to this bug.