[webkit-changes] [225985] trunk/Source/WebCore

[rniwa]

Title: [225985] trunk/Source/WebCore

Revision

225985

Author

rn...@webkit.org

Date

2017-12-15 13:32:07 -0800 (Fri, 15 Dec 2017)

Log Message

Add a release assert that Timer::m_wasDeleted is false in setNextFireTime
https://bugs.webkit.org/show_bug.cgi?id=180860
<rdar://problem/36066500>

Reviewed by David Kilzer.

Turn an exist debug-only assertion into a release assertion to help diagnose a crash
which appears to be caused by a freed timer getting scheduled back into the timer heap.

* platform/Timer.cpp:
(WebCore::TimerBase::~TimerBase):
(WebCore::TimerBase::setNextFireTime):
* platform/Timer.h:

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/Timer.cpp
• trunk/Source/WebCore/platform/Timer.h

Diff

Modified: trunk/Source/WebCore/ChangeLog (225984 => 225985)

--- trunk/Source/WebCore/ChangeLog	2017-12-15 21:27:24 UTC (rev 225984)
+++ trunk/Source/WebCore/ChangeLog	2017-12-15 21:32:07 UTC (rev 225985)
@@ -1,3 +1,19 @@
+2017-12-15  Ryosuke Niwa  <rn...@webkit.org>
+
+        Add a release assert that Timer::m_wasDeleted is false in setNextFireTime
+        https://bugs.webkit.org/show_bug.cgi?id=180860
+        <rdar://problem/36066500>
+
+        Reviewed by David Kilzer.
+
+        Turn an exist debug-only assertion into a release assertion to help diagnose a crash
+        which appears to be caused by a freed timer getting scheduled back into the timer heap.
+
+        * platform/Timer.cpp:
+        (WebCore::TimerBase::~TimerBase):
+        (WebCore::TimerBase::setNextFireTime):
+        * platform/Timer.h:
+
 2017-12-15  Simon Fraser  <simon.fra...@apple.com>
 
         Elements animated on-screen are missing sometimes

Modified: trunk/Source/WebCore/platform/Timer.cpp (225984 => 225985)

--- trunk/Source/WebCore/platform/Timer.cpp	2017-12-15 21:27:24 UTC (rev 225984)
+++ trunk/Source/WebCore/platform/Timer.cpp	2017-12-15 21:32:07 UTC (rev 225985)
@@ -193,9 +193,7 @@
 {
     stop();
     ASSERT(!inHeap());
-#ifndef NDEBUG
     m_wasDeleted = true;
-#endif
 }
 
 void TimerBase::start(Seconds nextFireInterval, Seconds repeatInterval)
@@ -360,7 +358,7 @@
 void TimerBase::setNextFireTime(MonotonicTime newTime)
 {
     ASSERT(canAccessThreadLocalDataForThread(m_thread.get()));
-    ASSERT(!m_wasDeleted);
+    RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(!m_wasDeleted);
 
     if (m_unalignedNextFireTime != newTime)
         m_unalignedNextFireTime = newTime;

Modified: trunk/Source/WebCore/platform/Timer.h (225984 => 225985)

--- trunk/Source/WebCore/platform/Timer.h	2017-12-15 21:27:24 UTC (rev 225984)
+++ trunk/Source/WebCore/platform/Timer.h	2017-12-15 21:32:07 UTC (rev 225985)
@@ -100,11 +100,11 @@
     Seconds m_repeatInterval; // 0 if not repeating
     int m_heapIndex { -1 }; // -1 if not in heap
     unsigned m_heapInsertionOrder; // Used to keep order among equal-fire-time timers
+    bool m_wasDeleted { false };
     Vector<TimerBase*>* m_cachedThreadGlobalTimerHeap { nullptr };
 
 #ifndef NDEBUG
     Ref<Thread> m_thread { Thread::current() };
-    bool m_wasDeleted { false };
 #endif
 
     friend class ThreadTimers;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes