Home Explore Help
Sign In
noah
/
ungoogled-chromium-xdg-aur
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 9f1dcf765d
Branches Tags
ungoogled-chrom...
/
avoid-double-destruction-of-ServiceWorkerObjectHost.patch

avoid-double-destruction-of-ServiceWorkerObjectHost.patch 6.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138 
  1. From bd59ce32629ef684624821419c43967b73d2989e Mon Sep 17 00:00:00 2001
    2. 

  2. From: Hiroki Nakagawa <nhiroki@chromium.org>
    3. 

  3. Date: Fri, 8 May 2020 08:25:31 +0000
    4. 

  4. Subject: [PATCH] ServiceWorker: Avoid double destruction of
    5. 

  5.  ServiceWorkerObjectHost on connection error
    6. 

  6. 

  7. This CL avoids the case where ServiceWorkerObjectHost is destroyed twice
    8. 

  8. on ServiceWorkerObjectHost::OnConnectionError() when Chromium is built
    9. 

  9. with the GCC build toolchain.
    10. 

  10. 

  11. > How does the issue happen?
    12. 

  12. 

  13. ServiceWorkerObjectHost has a cyclic reference like this:
    14. 

  14. 

  15. ServiceWorkerObjectHost
    16. 

  16.   --([1] scoped_refptr)--> ServiceWorkerVersion
    17. 

  17.     --([2] std::unique_ptr)--> ServiceWorkerProviderHost
    18. 

  18.       --([3] std::unique_ptr)--> ServiceWorkerContainerHost
    19. 

  19.         --([4] std::unique_ptr)--> ServiceWorkerObjectHost
    20. 

  20. 

  21. Note that ServiceWorkerContainerHost manages ServiceWorkerObjectHost in
    22. 

  22. map<int64_t version_id, std::unique_ptr<ServiceWorkerObjectHost>>.
    23. 

  23. 

  24. When ServiceWorkerObjectHost::OnConnectionError() is called, the
    25. 

  25. function removes the reference [4] from the map, and destroys
    26. 

  26. ServiceWorkerObjectHost. If the object host has the last reference [1]
    27. 

  27. to ServiceWorkerVersion, the destruction also cuts off the references
    28. 

  28. [2] and [3], and destroys ServiceWorkerProviderHost and
    29. 

  29. ServiceWorkerContainerHost.
    30. 

  30. 

  31. This seems to work well on the Chromium's default toolchain, but not
    32. 

  32. work on the GCC toolchain. According to the report, destruction of
    33. 

  33. ServiceWorkerContainerHost happens while the map owned by the container
    34. 

  34. host is erasing the ServiceWorkerObjectHost, and this results in crash
    35. 

  35. due to double destruction of the object host.
    36. 

  36. 

  37. I don't know the reason why this happens only on the GCC toolchain, but
    38. 

  38. I suspect the order of object destruction on std::map::erase() could be
    39. 

  39. different depending on the toolchains.
    40. 

  40. 

  41. > How does this CL fix this?
    42. 

  42. 

  43. The ideal fix is to redesign the ownership model of
    44. 

  44. ServiceWorkerVersion, but it's not feasible in the short term.
    45. 

  45. 

  46. Instead, this CL avoids destruction of ServiceWorkerObjectHost on
    47. 

  47. std::map::erase(). The new code takes the ownership of the object host
    48. 

  48. from the map first, and then erases the entry from the map. This
    49. 

  49. separates timings to erase the map entry and to destroy the object host,
    50. 

  50. so the crash should no longer happen.
    51. 

  51. 

  52. Bug: 1056598
    53. 

  53. Change-Id: Id30654cb575bc557c42044d6f0c6f1f9bfaed613
    54. 

  54. Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2094496
    55. 

  55. Reviewed-by: Makoto Shimazu <shimazu@chromium.org>
    56. 

  56. Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
    57. 

  57. Cr-Commit-Position: refs/heads/master@{#766770}
    58. 

  58. ---
    59. 

  59.  .../service_worker_container_host.cc          | 10 +++++
    60. 

  60.  .../service_worker_object_host_unittest.cc    | 38 +++++++++++++++++++
    61. 

  61.  2 files changed, 48 insertions(+)
    62. 

  62. 

  63. diff --git a/content/browser/service_worker/service_worker_container_host.cc b/content/browser/service_worker/service_worker_container_host.cc
    64. 

  64. index ec7fb1449af..98c62093b0e 100644
    65. 

  65. --- a/content/browser/service_worker/service_worker_container_host.cc
    66. 

  66. +++ b/content/browser/service_worker/service_worker_container_host.cc
    67. 

  67. @@ -669,6 +669,16 @@ void ServiceWorkerContainerHost::RemoveServiceWorkerObjectHost(
    68. 

  68.      int64_t version_id) {
    69. 

  69.    DCHECK_CURRENTLY_ON(ServiceWorkerContext::GetCoreThreadId());
    70. 

  70.    DCHECK(base::Contains(service_worker_object_hosts_, version_id));
    71. 

  71. +
    72. 

  72. +  // ServiceWorkerObjectHost to be deleted may have the last reference to
    73. 

  73. +  // ServiceWorkerVersion that indirectly owns this ServiceWorkerContainerHost.
    74. 

  74. +  // If we erase the object host directly from the map, |this| could be deleted
    75. 

  75. +  // during the map operation and may crash. To avoid the case, we take the
    76. 

  76. +  // ownership of the object host from the map first, and then erase the entry
    77. 

  77. +  // from the map. See https://crbug.com/1056598 for details.
    78. 

  78. +  std::unique_ptr<ServiceWorkerObjectHost> to_be_deleted =
    79. 

  79. +      std::move(service_worker_object_hosts_[version_id]);
    80. 

  80. +  DCHECK(to_be_deleted);
    81. 

  81.    service_worker_object_hosts_.erase(version_id);
    82. 

  82.  }
    83. 

  83.  
    84. 

  84. diff --git a/content/browser/service_worker/service_worker_object_host_unittest.cc b/content/browser/service_worker/service_worker_object_host_unittest.cc
    85. 

  85. index 408d7c1f9d1..6eab59040ab 100644
    86. 

  86. --- a/content/browser/service_worker/service_worker_object_host_unittest.cc
    87. 

  87. +++ b/content/browser/service_worker/service_worker_object_host_unittest.cc
    88. 

  88. @@ -200,6 +200,19 @@ class ServiceWorkerObjectHostTest : public testing::Test {
    89. 

  89.      return registration_info;
    90. 

  90.    }
    91. 

  91.  
    92. 

  92. +  void CallOnConnectionError(ServiceWorkerContainerHost* container_host,
    93. 

  93. +                             int64_t version_id) {
    94. 

  94. +    // ServiceWorkerObjectHost has the last reference to the version.
    95. 

  95. +    ServiceWorkerObjectHost* object_host =
    96. 

  96. +        GetServiceWorkerObjectHost(container_host, version_id);
    97. 

  97. +    EXPECT_TRUE(object_host->version_->HasOneRef());
    98. 

  98. +
    99. 

  99. +    // Make sure that OnConnectionError induces destruction of the version and
    100. 

  100. +    // the object host.
    101. 

  101. +    object_host->receivers_.Clear();
    102. 

  102. +    object_host->OnConnectionError();
    103. 

  103. +  }
    104. 

  104. +
    105. 

  105.    BrowserTaskEnvironment task_environment_;
    106. 

  106.    std::unique_ptr<EmbeddedWorkerTestHelper> helper_;
    107. 

  107.    scoped_refptr<ServiceWorkerRegistration> registration_;
    108. 

  108. @@ -409,5 +422,30 @@ TEST_F(ServiceWorkerObjectHostTest, DispatchExtendableMessageEvent_FromClient) {
    109. 

  109.              events[0]->source_info_for_client->client_type);
    110. 

  110.  }
    111. 

  111.  
    112. 

  112. +// This is a regression test for https://crbug.com/1056598.
    113. 

  113. +TEST_F(ServiceWorkerObjectHostTest, OnConnectionError) {
    114. 

  114. +  const GURL scope("https://www.example.com/");
    115. 

  115. +  const GURL script_url("https://www.example.com/service_worker.js");
    116. 

  116. +  Initialize(std::make_unique<EmbeddedWorkerTestHelper>(base::FilePath()));
    117. 

  117. +  SetUpRegistration(scope, script_url);
    118. 

  118. +
    119. 

  119. +  // Create the provider host.
    120. 

  120. +  ASSERT_EQ(blink::ServiceWorkerStatusCode::kOk,
    121. 

  121. +            StartServiceWorker(version_.get()));
    122. 

  122. +
    123. 

  123. +  // Set up the case where the last reference to the version is owned by the
    124. 

  124. +  // service worker object host.
    125. 

  125. +  ServiceWorkerContainerHost* container_host =
    126. 

  126. +      version_->provider_host()->container_host();
    127. 

  127. +  ServiceWorkerVersion* version_rawptr = version_.get();
    128. 

  128. +  version_ = nullptr;
    129. 

  129. +  ASSERT_TRUE(version_rawptr->HasOneRef());
    130. 

  130. +
    131. 

  131. +  // Simulate the connection error that induces the object host destruction.
    132. 

  132. +  // This shouldn't crash.
    133. 

  133. +  CallOnConnectionError(container_host, version_rawptr->version_id());
    134. 

  134. +  base::RunLoop().RunUntilIdle();
    135. 

  135. +}
    136. 

  136. +
    137. 

  137.  }  // namespace service_worker_object_host_unittest
    138. 

  138.  }  // namespace content
    139.