Bug 1248958 - CacheIndex mRWBuf ownership too fragile, read-after-free, r=honzab
authorMichal Novotny <michal.novotny@gmail.com>
Thu, 18 Feb 2016 11:43:20 +0100
changeset 331887 09b52ee5396030d49e946114c2cb7507645b8c96
parent 331886 1f67b24cbb75f685cde5a156adac09d532aab003
child 331888 291cf27e6e55e20279fdb53219038b171abc945a
push id11113
push userrjesup@wgate.com
push dateThu, 18 Feb 2016 19:00:12 +0000
reviewershonzab
bugs1248958
milestone47.0a1
Bug 1248958 - CacheIndex mRWBuf ownership too fragile, read-after-free, r=honzab
netwerk/cache2/CacheIndex.cpp
--- a/netwerk/cache2/CacheIndex.cpp
+++ b/netwerk/cache2/CacheIndex.cpp
@@ -342,23 +342,25 @@ CacheIndex::PreShutdown()
 
   if (index->mState == READY) {
     return NS_OK; // nothing to do
   }
 
   nsCOMPtr<nsIRunnable> event;
   event = NS_NewRunnableMethod(index, &CacheIndex::PreShutdownInternal);
 
-  nsCOMPtr<nsIEventTarget> ioTarget = CacheFileIOManager::IOTarget();
-  MOZ_ASSERT(ioTarget);
-
-  // PreShutdownInternal() will be executed before any queued event on INDEX
-  // level. That's OK since we don't want to wait for any operation in progess.
-  // We need to interrupt it and save journal as quickly as possible.
-  rv = ioTarget->Dispatch(event, nsIEventTarget::DISPATCH_NORMAL);
+  RefPtr<CacheIOThread> ioThread = CacheFileIOManager::IOThread();
+  MOZ_ASSERT(ioThread);
+
+  // Executing PreShutdownInternal() on WRITE level ensures that read/write
+  // events holding pointer to mRWBuf will be executed before we release the
+  // buffer by calling FinishRead()/FinishWrite() in PreShutdownInternal(), but
+  // it will be executed before any queued event on INDEX level. That's OK since
+  // we don't want to wait until updating of the index finishes.
+  rv = ioThread->Dispatch(event, CacheIOThread::WRITE);
   if (NS_FAILED(rv)) {
     NS_WARNING("CacheIndex::PreShutdown() - Can't dispatch event");
     LOG(("CacheIndex::PreShutdown() - Can't dispatch event" ));
     return rv;
   }
 
   return NS_OK;
 }