Closed
Bug 637957
Opened 13 years ago
Closed 13 years ago
Make notifiers strong owners of mCallback, to prevent crashes due to unexpected events ordering
Categories
(Toolkit :: Storage, defect)
Toolkit
Storage
Tracking
()
RESOLVED
FIXED
mozilla2.0
People
(Reporter: mak, Assigned: mak)
References
Details
(Whiteboard: [sg:moderate][hardblocker][tests in bug 638123][has patch])
Attachments
(3 files, 4 obsolete files)
1.48 KB,
patch
|
Details | Diff | Splinter Review | |
1.53 KB,
patch
|
christian
:
approval1.9.2.17+
|
Details | Diff | Splinter Review |
1.45 KB,
patch
|
christian
:
approval1.9.1.19+
|
Details | Diff | Splinter Review |
See https://bugzilla.mozilla.org/show_bug.cgi?id=634796#c22 While spinnging the events loop in a HandleResult is not nice at all, owenrship should be changed so that it won't make us crash at random addresses.
Assignee | ||
Comment 1•13 years ago
|
||
Changing ownership here, should pay particularly attention that releases will happen on the right thread.
Assignee | ||
Updated•13 years ago
|
Summary: Made notifiers strong owners of mCallback, to prevent crashes due to unexpected events ordering → Make notifiers strong owners of mCallback, to prevent crashes due to unexpected events ordering
Comment 2•13 years ago
|
||
(In reply to comment #1) > Changing ownership here, should pay particularly attention that releases will > happen on the right thread. Releases will absolutely happen on the correct thread; the callback is being run on the thread it was called on (which is the one the releases should happen on).
Assignee | ||
Comment 3•13 years ago
|
||
(In reply to comment #2) > (In reply to comment #1) > > Changing ownership here, should pay particularly attention that releases will > > happen on the right thread. > Releases will absolutely happen on the correct thread; the callback is being > run on the thread it was called on (which is the one the releases should happen > on). Yes it runs on the correct thread, but the runnable is not created on the same thread, so it could still release mCallback on the thread where the runnable was created rather than the thread where mCallback runs. For example AsyncGetBookmarksForURI should be destroyed on the main-thread, the results notifier runs on the main thread, but is created and destroyed on the async thread afaict.
Assignee | ||
Comment 4•13 years ago
|
||
So, we have to release the ownership explicitely in Run(), this is fine, there is still the AddRef problem... Actually Run() could just: AddRef ->HandleResult Release
Assignee | ||
Comment 5•13 years ago
|
||
The test is not perfect, but works. It is practically partially running on destruction, thus I use NS_RUNTIMEABORT, looks like I'm unable to make it properly fake-async (my tries with spinning ended up making it hang).
Attachment #516261 -
Flags: review?(sdwilsh)
Assignee | ||
Comment 6•13 years ago
|
||
better for review
Attachment #516261 -
Attachment is obsolete: true
Attachment #516261 -
Flags: review?(sdwilsh)
Attachment #516262 -
Flags: review?(sdwilsh)
Assignee | ||
Updated•13 years ago
|
OS: Windows 7 → All
Hardware: x86 → All
Comment 7•13 years ago
|
||
This fixes bug 634796, so I'm promoting this to hardblocker. Review coming shortly...
Assignee: nobody → mak77
Status: NEW → ASSIGNED
blocking2.0: --- → final+
Whiteboard: [hardblocker]
Comment 8•13 years ago
|
||
Comment on attachment 516262 [details] [diff] [review] patch v1.0 (8 lines context) >+++ b/storage/src/mozStorageAsyncStatementExecution.cpp >+ // Hold a strong reference to the callback while notifying it, so that if it >+ // should spin the events loop, won't be able to release it in spite of us. >+ nsCOMPtr<mozIStorageStatementCallback> callback = mCallback; nit: "...spin the event loop, the callback won't be released and freed out from under us." Also, this needs to be done for ErrorCallback, with a test as well (easiest way to get that callback is to trigger a constraint error by trying to inset a duplicate primary key). >+ // Ensure to release our reference on this thread. >+ callback = 0; You don't need to do this. nsCOMPtr's destructor will run the moment this method returns, which will happen on this thread. >+++ b/storage/test/test_HandleResult_spinEventsLoop.cpp How about we go with test_async_callbacks_with_spun_event_loops.cpp? I don't think the test actually tests this, however. With that said, I'm OK with getting the fix in, and then spending time out of the release critical path to get the test right. What we really want to test is this: 1) Fire off a query that would get a handleResult callback (ideally, just one). 2) When we get the handleResult call, spin the event loop until we get a handleCompletion callback 3) Set a heap variable that isn't a member of the callback object to true indicating that the object is currently alive. In the callbacks destructor, we'll want to set this to false. (we may need to create this heap variable before step 4, and may set it earlier too) 4) At this point, our handleResult spinning will be complete, and we should ensure that our heap variable that is set to false when our destructor runs is still true. The above test should fail without your patch. You can replace handleResult with handleError for the additional testcase I asked for. r=sdwilsh on the code changes. We need to work on the test more though, so file a follow-up please.
Attachment #516262 -
Flags: review?(sdwilsh) → review+
Assignee | ||
Comment 9•13 years ago
|
||
> 1) Fire off a query that would get a handleResult callback (ideally, just one). the test does this > 2) When we get the handleResult call, spin the event loop until we get a > handleCompletion callback and does this > 3) Set a heap variable that isn't a member of the callback object to true > indicating that the object is currently alive. In the callbacks destructor, > we'll want to set this to false. (we may need to create this heap variable > before step 4, and may set it earlier too) it's done through a local property of the callback, I like the idea of a global var though, or maybe a static property. > 4) At this point, our handleResult spinning will be complete, and we should > ensure that our heap variable that is set to false when our destructor runs is > still true. and does this > The above test should fail without your patch. and does this! My test does exactly what you said, apart using a global variable, could be made more readable maybe. You can replace handleResult > with handleError for the additional testcase I asked for. will do
Assignee | ||
Comment 10•13 years ago
|
||
I'm splitting the tests to bug 638123, since Shawn currently cannot do a full review of it and we can come with a more polished test. The fix is pretty much straight-forward and I'll run the tests locally before pushing since they already work fine, we can land the tests in the next days on tinderboxes once properly reviewed.
Assignee | ||
Updated•13 years ago
|
Whiteboard: [hardblocker] → [hardblocker][tests in bug 638123]
Assignee | ||
Comment 11•13 years ago
|
||
Addressed comments. Before pushing I'll fix and run tests locally, then will attach them to the followup for review (so this won't block the release).
Attachment #516262 -
Attachment is obsolete: true
Assignee | ||
Comment 12•13 years ago
|
||
Per IRC discussion.
Attachment #516289 -
Attachment is obsolete: true
Assignee | ||
Updated•13 years ago
|
Whiteboard: [hardblocker][tests in bug 638123] → [hardblocker][tests in bug 638123][has patch]
Assignee | ||
Comment 13•13 years ago
|
||
I attached tests I used locally to bug 638123, after double checking they fail before the patch and pass after. Those tests will land apart per comment 10. http://hg.mozilla.org/mozilla-central/rev/290403971149
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla2.0
Assignee | ||
Comment 14•13 years ago
|
||
pushed a follow-up, I forgot to properly QI and luckily a Places test complained! http://hg.mozilla.org/mozilla-central/rev/38028bf13fb2
Comment 15•13 years ago
|
||
(In reply to comment #14) > pushed a follow-up, I forgot to properly QI and luckily a Places test > complained! > http://hg.mozilla.org/mozilla-central/rev/38028bf13fb2 Er, what? mCallback in both methods is a mozIStorageStatementCallback*, so that QI doesn't do anything useful.
Comment 16•13 years ago
|
||
...and yet that is very clearly what that assertion is saying. Can somebody explain to me why? I'm guessing XPConnect doesn't create the QI until it's needed, but would love a confirmation.
Assignee | ||
Comment 17•13 years ago
|
||
That fixed the error locally, i preferred avoiding a permaorange. Looking at the thing, looks like there is some wrong iSupports inheritance in nsNavHistoryFolderResultNode, when test_async.js runs it probably doesn't cast it properly due to a bogus NS_IMPL_ISUPPORTS_INHERITED
Assignee | ||
Comment 18•13 years ago
|
||
or most likely ambiguous inheritance
Comment 19•13 years ago
|
||
(In reply to comment #17) > That fixed the error locally, i preferred avoiding a permaorange. > Looking at the thing, looks like there is some wrong iSupports inheritance in > nsNavHistoryFolderResultNode, when test_async.js runs it probably doesn't cast > it properly due to a bogus NS_IMPL_ISUPPORTS_INHERITED I'm still pretty sure we shouldn't have to do that. Can you file a bug about it so we can get the right fix in eventually please?
Assignee | ||
Comment 20•13 years ago
|
||
sure, fwiw Neil suggested we could use a RefPtr to save the QI
Comment 21•13 years ago
|
||
This can fix some crashes on branch (especially when Sync is installed).
blocking1.9.2: --- → ?
Updated•13 years ago
|
Comment 23•13 years ago
|
||
Does this apply to the 1.9.1 branch also? We'll need roll-up patches to approve for the branches. Looks like there were at least two chunks checked in to fix this.
Comment 24•13 years ago
|
||
(In reply to comment #23) > Does this apply to the 1.9.1 branch also? It should, yeah. > We'll need roll-up patches to approve for the branches. Looks like there were > at least two chunks checked in to fix this. I'll do that later today.
Comment 25•13 years ago
|
||
Attachment #517502 -
Flags: approval1.9.2.16?
Comment 26•13 years ago
|
||
Comment on attachment 517502 [details] [diff] [review] 1.9.2 rollup This is very clearly not what I intended to upload...
Attachment #517502 -
Attachment is obsolete: true
Attachment #517502 -
Flags: approval1.9.2.16?
Comment 27•13 years ago
|
||
Somehow, my 1.9.2 tree was totally hosed. Repulling and trying again...
Updated•13 years ago
|
blocking1.9.2: .15+ → .16+
Comment 28•13 years ago
|
||
Attachment #517555 -
Flags: approval1.9.2.16?
Comment 29•13 years ago
|
||
Filename difference here and we use a different method name for checking if we should run (runEvent vs shouldNotify). Otherwise, it's all the same.
Attachment #517556 -
Flags: approval1.9.1.18?
blocking1.9.1: ? → .18+
Attachment #517555 -
Flags: approval1.9.2.16? → approval1.9.2.16+
Attachment #517556 -
Flags: approval1.9.1.18? → approval1.9.1.18+
Updated•13 years ago
|
Group: core-security
Whiteboard: [hardblocker][tests in bug 638123][has patch] → [sg:moderate][hardblocker][tests in bug 638123][has patch]
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•