DOM: Fix 'ref-counted producer' Subscriber crash #51025
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This CL fixes a crash in Subscriber, which was introduced in https://crrev.com/c/6221901, when we implemented ref-counted producers. With ref-counted producers, Subscriber::next()/error()/complete() have to iterate over the list of internal observers and call the respective methods on them. However, because these methods can terminate the subscription for a given observer, the list of internal observers can mutate while iterating over it, which is unsafe and causes a crash. This is essentially the implementation version of whatwg/infra#396. This CL fixes this bug by taking a copy of the list of internal observers before iterating over it in each of these methods, so we can call the methods on each registered observer, while iterating over a stable vector that cannot be mutated (since it is a copy). R=masonf Bug: 40282760 Change-Id: I9ade96a95370120b4c9f7309a78d3222398aed6b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6311209 Commit-Queue: Dominic Farolino <[email protected]> Reviewed-by: Mason Freed <[email protected]> Cr-Commit-Position: refs/heads/main@{#1426289}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-6311209
branch
from
ae45653 to
18a10d5
Compare
wpt-pr-bot
approved these changes
Feb 28, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This CL fixes a crash in Subscriber, which was introduced in
https://crrev.com/c/6221901, when we implemented ref-counted producers.
With ref-counted producers, Subscriber::next()/error()/complete() have
to iterate over the list of internal observers and call the respective
methods on them. However, because these methods can terminate the
subscription for a given observer, the list of internal observers can
mutate while iterating over it, which is unsafe and causes a crash.
This is essentially the implementation version of
whatwg/infra#396.
This CL fixes this bug by taking a copy of the list of internal
observers before iterating over it in each of these methods, so we can
call the methods on each registered observer, while iterating over a
stable vector that cannot be mutated (since it is a copy).
R=masonf
Bug: 40282760
Change-Id: I9ade96a95370120b4c9f7309a78d3222398aed6b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6311209
Commit-Queue: Dominic Farolino <[email protected]>
Reviewed-by: Mason Freed <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1426289}