-
Robbie McElrath authored
net::SerialWorker is a RefCountedThreadSafe object that also uses WeakPtrFactory to create WeakPtrs of itself. To run whatever work it's supposed to run, it PostTaskWithTraitsAndReply's to another sequence to do the work there, and then gets called back when the work is complete. The work callback holds a (refcounted) reference to the SerialWorker, and the reply callback is bound to a WeakPtr to ensure the SerialWorker will still be deleted if posting the reply fails. WeakPtr enforces that all dereferences to it, as well as its invalidation, must happen on the same sequence to avoid races. When the reply callback is being called, it dereferences the SerialWorker WeakPtr on the original sequence, which binds that WeakPtr to that sequence. It's possible for the SerialWorker’s owner to release it after the WeakPtr has been checked, but before the worker function has returned, in which case the worker function will have the last reference to the SerialWorker. In that case, when the worker function finally does return, it will delete the SerialWorker, which will delete its WeakPtrFactory, which will invalidate existing WeakPtrs. However, the WeakPtr was previously dereferenced on the SerialWorker sequence, and now it’s being invalidated on the worker sequence, which is invalid. To fix this, this CL makes SerialWorker a RefCountedDeleteOnSequence to ensure the deletion always happens in the right sequence. Bug: 882610 Change-Id: If738d3724384ffd5ac210130415bce7262932feb Reviewed-on: https://chromium-review.googlesource.com/c/1336066 Commit-Queue: Robbie McElrath <rmcelrath@chromium.org> Reviewed-by:
Eric Roman <eroman@chromium.org> Reviewed-by:
Eric Orth <ericorth@chromium.org> Cr-Commit-Position: refs/heads/master@{#608223}
31391ba3
