Commit 12052dfa authored by Kershaw Chang's avatar Kershaw Chang Committed by Pier Angelo Vendrame
Browse files

Bug 1907726 - Make sure WebTransportSessionProxy::NotifyDatagramReceived is... 

Bug 1907726 - Make sure WebTransportSessionProxy::NotifyDatagramReceived is called after OnStopRequest,  a=RyanVM

The crash occurs because WebTransportSessionProxy::OnDatagramReceivedInternal is called before WebTransportSessionProxy::OnStopRequest.
When this happens, WebTransportSessionProxy::mTarget is the main thread, so a task is dispatched to the main thread. This causes WebTransportSessionProxy::NotifyDatagramReceived to be called on the main thread.

If WebTransportSessionProxy::NotifyDatagramReceived is invoked while WebTransportSessionProxy::mStopRequestCalled is true, it can lead to OnDatagramReceived being called on the main thread (instead of the socket thread), resulting in a crash.

Original Revision: https://phabricator.services.mozilla.com/D220013

Differential Revision: https://phabricator.services.mozilla.com/D221661
parent db3f8d1e

netwerk/protocol/webtransport/WebTransportSessionProxy.cpp

+9 −9
Original line number Diff line number Diff line
@@ -1042,15 +1042,6 @@ void WebTransportSessionProxy::NotifyDatagramReceived( 
    MutexAutoLock lock(mMutex);

    MOZ_ASSERT(mTarget->IsOnCurrentThread());



    if (!mStopRequestCalled) {

      CopyableTArray<uint8_t> copied(aData);

      mPendingEvents.AppendElement(

          [self = RefPtr{this}, data = std::move(copied)]() mutable {

            self->NotifyDatagramReceived(std::move(data));

          });

      return;

    }



    if (mState != WebTransportSessionProxyState::ACTIVE || !mListener) {

      return;

    }
@@ -1066,6 +1057,15 @@ NS_IMETHODIMP WebTransportSessionProxy::OnDatagramReceivedInternal( 


  {

    MutexAutoLock lock(mMutex);

    if (!mStopRequestCalled) {

      CopyableTArray<uint8_t> copied(aData);

      mPendingEvents.AppendElement(

          [self = RefPtr{this}, data = std::move(copied)]() mutable {

            self->OnDatagramReceivedInternal(std::move(data));

          });

      return NS_OK;

    }



    if (!mTarget->IsOnCurrentThread()) {

      return mTarget->Dispatch(NS_NewRunnableFunction(

          "WebTransportSessionProxy::OnDatagramReceived",