[webkit-changes] [227976] trunk/Source/WTF

[mcatanzaro]

Title: [227976] trunk/Source/WTF

Revision

227976

Author

mcatanz...@igalia.com

Date

2018-02-01 11:41:11 -0800 (Thu, 01 Feb 2018)

Log Message

[WPE][GTK] Make RunLoop::TimerBase robust to its own deletion inside its source callback
https://bugs.webkit.org/show_bug.cgi?id=182271

Reviewed by Carlos Garcia Campos.

RunLoopTimer::fired executes the user's callback, which could delete the RunLoopTimer
itself. But the source callback is not prepared to handle this case. We can detect it
easily, because TimerBase's destructor will call g_source_destroy(), which confusingly
removes the GSource from its GMainContext without actually destroying the GSource. Then we
can check if the GSource is still attached using g_source_is_destroyed().

* wtf/glib/RunLoopGLib.cpp:
(WTF::RunLoop::TimerBase::TimerBase):

Modified Paths

• trunk/Source/WTF/ChangeLog
• trunk/Source/WTF/wtf/glib/RunLoopGLib.cpp

Diff

Modified: trunk/Source/WTF/ChangeLog (227975 => 227976)

--- trunk/Source/WTF/ChangeLog	2018-02-01 19:07:48 UTC (rev 227975)
+++ trunk/Source/WTF/ChangeLog	2018-02-01 19:41:11 UTC (rev 227976)
@@ -1,3 +1,19 @@
+2018-02-01  Michael Catanzaro  <mcatanz...@igalia.com>
+
+        [WPE][GTK] Make RunLoop::TimerBase robust to its own deletion inside its source callback
+        https://bugs.webkit.org/show_bug.cgi?id=182271
+
+        Reviewed by Carlos Garcia Campos.
+
+        RunLoopTimer::fired executes the user's callback, which could delete the RunLoopTimer
+        itself. But the source callback is not prepared to handle this case. We can detect it
+        easily, because TimerBase's destructor will call g_source_destroy(), which confusingly
+        removes the GSource from its GMainContext without actually destroying the GSource. Then we
+        can check if the GSource is still attached using g_source_is_destroyed().
+
+        * wtf/glib/RunLoopGLib.cpp:
+        (WTF::RunLoop::TimerBase::TimerBase):
+
 2018-01-31  Saam Barati  <sbar...@apple.com>
 
         Replace tryLargeMemalignVirtual with tryLargeZeroedMemalignVirtual and use it to allocate large zeroed memory in Wasm

Modified: trunk/Source/WTF/wtf/glib/RunLoopGLib.cpp (227975 => 227976)

--- trunk/Source/WTF/wtf/glib/RunLoopGLib.cpp	2018-02-01 19:07:48 UTC (rev 227975)
+++ trunk/Source/WTF/wtf/glib/RunLoopGLib.cpp	2018-02-01 19:41:11 UTC (rev 227976)
@@ -162,8 +162,14 @@
     g_source_set_priority(m_source.get(), RunLoopSourcePriority::RunLoopTimer);
     g_source_set_name(m_source.get(), "[WebKit] RunLoop::Timer work");
     g_source_set_callback(m_source.get(), [](gpointer userData) -> gboolean {
+        // fired() executes the user's callback. It may destroy timer,
+        // so we must check if the source is still active afterwards
+        // before it is safe to dereference timer again.
         RunLoop::TimerBase* timer = static_cast<RunLoop::TimerBase*>(userData);
+        GSource* source = timer->m_source.get();
         timer->fired();
+        if (g_source_is_destroyed(source))
+            return G_SOURCE_REMOVE;
         if (timer->m_isRepeating)
             timer->updateReadyTime();
         return G_SOURCE_CONTINUE;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes