545757 - Sync/RPC replies are posted to the IO thread after hangs

Status: RESOLVED FIXED

(Core :: IPC, defect)

Description

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

This can cause messages delivered to the IO thread to race with the incoming notification of the closed channel.

Comment 1

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

(In reply to comment #0)
> This can cause messages delivered to the IO thread to race with the incoming
> notification of the closed channel.

Also with the destruction of the channel, which can lead to use-after-free.  This is the problem I'm seeing locally on TestHangs.

Comment 2

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

After looking more, what was actually happening is that after a hang timeout, the RPCChannel was still posting replies to rpc in-calls to the RPCChannel.  This was causing out-events to remain in the IO thread's queue, and breaking an assumption made about Close() --- after Close(), there's no more pending work for the IO thread.  This led to a use-after-Clear() error when the IO thread dequeued the rpc reply posted from a dead channel; AssertIOThread() failed because mIOLoop was 0.

This bug might have been possible with regular channel errors too, but I never saw it after a *lot* of test runs.  Might have been luck.

Comment 3

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

Attachment: Don't post replies to the IO thread after a connection error.

Comment 4

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

Pushed http://hg.mozilla.org/projects/electrolysis/rev/ab07afb8c04c

Comment 5

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

http://hg.mozilla.org/mozilla-central/rev/c5ca3076da1b