bug 533034: fix race condition that led to use-after-free. thanks valgrind!

2024-10-10 03:45:46 +00:00 · 2009-12-07 00:04:00 -06:00 · 2009-12-07 00:04:00 -06:00 · f7ff8ffcef
commit f7ff8ffcef
parent 8e5648cbee
4 changed files with 28 additions and 6 deletions
--- a/ipc/glue/GeckoChildProcessHost.cpp
+++ b/ipc/glue/GeckoChildProcessHost.cpp
@ -1,4 +1,5 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ */
 /* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
--- a/ipc/ipdl/ipdl/lower.py
+++ b/ipc/ipdl/ipdl/lower.py
@ -1405,6 +1405,13 @@ class Protocol(ipdl.ast.Protocol):
        assert self.usesShmem()
        return ExprVar('mLastShmemId')

+    def shmemIdInit(self, side):
+        assert self.usesShmem()
+        # use the same scheme for shmem IDs as actor IDs
+        if side is 'parent':  return _FREED_ACTOR_ID
+        elif side is 'child': return _NULL_ACTOR_ID
+        else: assert 0
+
    def nextShmemIdExpr(self, side):
        assert self.usesShmem()
        if side is 'parent':   op = '++'
@ -2605,6 +2612,11 @@ class _GenerateProtocolActorCode(ipdl.ast.Visitor):
            ctor.memberinits = [
                ExprMemberInit(p.idVar(), [ ExprLiteral.ZERO ]) ]

+        if p.usesShmem():
+            ctor.memberinits.append(
+                ExprMemberInit(p.lastShmemIdVar(),
+                               [ p.shmemIdInit(self.side) ]))
+
        ctor.addstmt(StmtExpr(ExprCall(ExprVar('MOZ_COUNT_CTOR'),
                                       [ ExprVar(self.clsname) ])))
        self.cls.addstmts([ ctor, Whitespace.NL ])
--- a/ipc/ipdl/test/cxx/IPDLUnitTests.h
+++ b/ipc/ipdl/test/cxx/IPDLUnitTests.h
@ -111,8 +111,7 @@ void IPDLUnitTestChildInit(IPC::Channel* transport,
                           base::ProcessHandle parent,
                           MessageLoop* worker);

-inline void
-QuitChild()
+inline void QuitChild()
 {
  XRE_ShutdownChildProcess();
 }
--- a/ipc/ipdl/test/cxx/IPDLUnitTests.template.cpp
+++ b/ipc/ipdl/test/cxx/IPDLUnitTests.template.cpp
@ -144,10 +144,20 @@ QuitXPCOM()
 void
 DeleteSubprocess(MessageLoop* uiLoop)
 {
+  // pong to QuitXPCOM
  delete gSubprocess;
  uiLoop->PostTask(FROM_HERE, NewRunnableFunction(QuitXPCOM));
 }

+void
+DeferredParentShutdown()
+{
+  // ping to DeleteSubprocess
+  XRE_GetIOMessageLoop()->PostTask(
+      FROM_HERE,
+      NewRunnableFunction(DeleteSubprocess, MessageLoop::current()));
+}
+
 }


@ -195,10 +205,10 @@ ${PARENT_MAIN_CASES}
 void
 QuitParent()
 {
-  // kick off the shutdown process
-  XRE_GetIOMessageLoop()->PostTask(
-      FROM_HERE,
-      NewRunnableFunction(DeleteSubprocess, MessageLoop::current()));
+  // defer "real" shutdown to avoid *Channel::Close() racing with the
+  // deletion of the subprocess
+    MessageLoop::current()->PostTask(
+        FROM_HERE, NewRunnableFunction(DeferredParentShutdown));
 }

 } // namespace _ipdltest