Closed
Bug 956327
Opened 11 years ago
Closed 2 years ago
Audit use of weak pointers regarding thread-safety (potential use-after-free/double-free)
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
DUPLICATE
of bug 956338
People
(Reporter: mayhemer, Unassigned)
Details
This considers both XPCOM's ns(Supports)WeakReference and mfbt/(Supports)WeakPtr.
There might be a problem when multiple threads access/reference/dereference an object implementing nsSupportsWeakReference or SupportsWeakPtr.
Scenario:
- thread A calls Release() and drops refcnt of an object implementing nsSupportsWeakReference to 0, enters the branch that does |delete this|
- before thread A reaches the |delete this| line thread B takes and addrefs the referent (pointing to the real object) in the related nsWeakReference object ; this may happen because we set the *referent* to null from the real object's dtor that has not yet been reached at this moment
- thread A calls |delete this| on the real object
- thread B works with a deleted object (use-after-free) and when it's Release()'ed it may be (depending on in what state the heap is) double deleted (double-free)
I raise this problem since I've hit this misunderstanding of weak reference usage by two developers recently:
1: http://hg.mozilla.org/mozilla-central/annotate/325c74addeba/netwerk/base/src/Tickler.h#l56
2: http://hg.mozilla.org/mozilla-central/annotate/325c74addeba/netwerk/cache2/CacheFile.h#l50
Both demonstrates that refcntrs are implemented as thread-safe (and objects are used/can be dereferenced on any thread) but both implement nsSupportsWeakReference/SupportsWeakPtr despite the above described problem.
If I'm right with the scenario, we must audit the code and fix all places.
Comment 1•11 years ago
|
||
I think you're right!
In addition to auditing the existing code, it would be nice if we could do something to fix this and/or protect future callers against it, I just can't think of a way to do either.
Comment 2•3 years ago
|
||
Hey Honza,
Does this issue still reproduce for you or can we close it?
Flags: needinfo?(honzab.moz)
Comment 3•3 years ago
|
||
This is still an issue. These classes continue to not be threadsafe.
Flags: needinfo?(honzab.moz)
Updated•3 years ago
|
QA Whiteboard: [qa-not-actionable]
Comment 4•2 years ago
|
||
In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.
Severity: critical → --
Comment 5•2 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #3)
This is still an issue. These classes continue to not be threadsafe.
It looks as if we did at least something in bug 956338 ? Can we restate the remaining scope here?
Flags: needinfo?(continuation)
Comment 6•2 years ago
|
||
Yeah, that looks sufficient to me. Dynamic checking isn't a perfect audit, but it seems close to me.
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 956338
Flags: needinfo?(continuation)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•