Closed Bug 745200 Opened 12 years ago Closed 12 years ago

nsDiskCacheStreamIO::Flush() is sometimes called without holding the cache lock

Categories

(Core :: Networking: Cache, defect)

Product:
Core
Component:
Networking: Cache
Version:
11 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla15

People

(Reporter: michal, Assigned: michal)

Details

Attachments

(1 file)

fix
1.00 KB, patch
u408661
: review+
briansmith
: feedback+
Details | Diff | Splinter Review
Attached patch fixSplinter Review 
While doing review of bug #723577, I found out that nsDiskCacheBinding::~nsDiskCacheBinding() is called outside the cache lock. It then (potentially) calls nsDiskCacheStreamIO::ClearBinding() which calls nsDiskCacheStreamIO::Flush(). Fortunately, it seems that this case is very rare.
Attachment #614786 - Flags: review?(bsmith)
Comment on attachment 614786 [details] [diff] [review]
fix

Review of attachment 614786 [details] [diff] [review]:
-----------------------------------------------------------------

This looks reasonable to me, based on Michal's explanation. Hoever, it would be good to get a second opinion from someone who understands the cache locking stuff better than me. In particular, is it possible for an nsDiskCacheBinding to be destroyed without using NS_ProxyRelease(), in code that is already holding the cache service lock?

This should have two comments added to it, explaining what Michal explained to me:

1. In the place where NS_ProxyRelease() is called, indicate that the released thing is a nsDiskCacheBinding and that the destructor of the nsDiskCacheBinding will take the cache service lock.

2. In the destructor of nsDiskCacheBinding, point out where we call NS_ProxyRelease to release the binding.
Attachment #614786 - Flags: review?(hurley)
Attachment #614786 - Flags: review?(bsmith)
Attachment #614786 - Flags: feedback+
Comment on attachment 614786 [details] [diff] [review]
fix

Review of attachment 614786 [details] [diff] [review]:
-----------------------------------------------------------------

This looks just fine to me, I don't see anywhere that an nsDiskCacheBinding will be destroyed while already holding the lock. I agree with Brian that we should comment about the relationship between ReleaseObject_Locked and nsDiskCacheBinding.

r=me with those comments added
Attachment #614786 - Flags: review?(hurley) → review+
(In reply to Brian Smith (:bsmith) from comment #2)
> 1. In the place where NS_ProxyRelease() is called, indicate that the
> released thing is a nsDiskCacheBinding and that the destructor of the
> nsDiskCacheBinding will take the cache service lock.

I've added the comment only to the destructor of nsDiskCacheBinding since we use nsCacheService::ReleaseObject_Locked() to release also other objects.
https://hg.mozilla.org/mozilla-central/rev/df802571ace4
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: