This race condition is exposed by [browser_storage_permission.js][0] The racy ordering of events is as follows: Inheriting a controller: - [Blob URI worker inherits controller on a content process worker thread][1] - [`InheritController` IPC call received on parent process background thread][2] - [Runnable dispatch to inherit the controller on parent process main thread][3] - [Attempt to link the `ClientHandle` that inherits the controller to a `ClientSourceParent` on the parent process background thread][4] - If the `ClientSourceParent` hasn't been created and registered yet, wait for it to do so Client shutdown (initiated by `DedicatedWorkerGlobalScope.close`): - [Call to `close` on a content process worker thread][5] - [Call to `WorkerPrivate::Cancel` on the worker's owning thread][6] - [`WorkerPrivate` destructor releases the single owning `ClientSource` reference on its owning thread, which shuts down the client][7] - [`ClientSourceParent` unregisters with the `ClientManagerService` on the parent process background thread][8] It's possible that the `ClientSourceParent` gets created and destroyed in the parent before the `ClientHandle` tries to find the `ClientSourceParent` (in this case it'll never be found). As a result, this keeps the controlling Service Worker alive because the controlled client counter is always non-zero. [0]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/serviceworkers/test/browser_storage_permission.js [1]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerPrivate.cpp#3059 [2]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/clients/manager/ClientSourceParent.cpp#136 [3]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/serviceworkers/ServiceWorkerManager.cpp#1183 [4]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/clients/manager/ClientHandleParent.cpp#66 [5]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerScope.cpp#635 [6]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerPrivate.cpp#814 [7]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerPrivate.cpp#814 [8]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/clients/manager/ClientSourceParent.cpp#179
Bug 1583659 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This race condition is exposed by [browser_storage_permission.js][0] The racy interleaving of events is as follows: Inheriting a controller: - [Blob URI worker inherits controller on a content process worker thread][1] - [`InheritController` IPC call received on parent process background thread][2] - [Runnable dispatch to inherit the controller on parent process main thread][3] - [Attempt to link the `ClientHandle` that inherits the controller to a `ClientSourceParent` on the parent process background thread][4] - If the `ClientSourceParent` hasn't been created and registered yet, wait for it to do so Client shutdown (initiated by `DedicatedWorkerGlobalScope.close`): - [Call to `close` on a content process worker thread][5] - [Call to `WorkerPrivate::Cancel` on the worker's owning thread][6] - [`WorkerPrivate` destructor releases the single owning `ClientSource` reference on its owning thread, which shuts down the client][7] - [`ClientSourceParent` unregisters with the `ClientManagerService` on the parent process background thread][8] It's possible that the `ClientSourceParent` gets created and destroyed in the parent before the `ClientHandle` tries to find the `ClientSourceParent` (in this case it'll never be found). As a result, this keeps the controlling Service Worker alive because the controlled client counter is always non-zero. [0]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/serviceworkers/test/browser_storage_permission.js [1]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerPrivate.cpp#3059 [2]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/clients/manager/ClientSourceParent.cpp#136 [3]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/serviceworkers/ServiceWorkerManager.cpp#1183 [4]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/clients/manager/ClientHandleParent.cpp#66 [5]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerScope.cpp#635 [6]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerPrivate.cpp#814 [7]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/workers/WorkerPrivate.cpp#814 [8]: https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/clients/manager/ClientSourceParent.cpp#179