Fix a data race in WebMessagePortChannelImpl.

It's unsafe to pass a WebString (which is logically a RefPtr<StringImpl>) across threads because the underlying object is not thread-safe ref-counted. Instead, the base::string16 that the receiving method accepts should be constructed before posting the task. BUG=635659 Review-Url: https://codereview.chromium.org/2224393002 Cr-Commit-Position: refs/heads/master@{#410761}
Denger-Network · Aug 9, 2016 · 414c42a · 414c42a
1 parent ec291e2
commit 414c42a
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/content/child/webmessageportchannel_impl.cc b/content/child/webmessageportchannel_impl.cc
@@ -168,9 +168,13 @@ void WebMessagePortChannelImpl::postMessage(
     WebMessagePortChannelArray* channels_ptr) {
   std::unique_ptr<WebMessagePortChannelArray> channels(channels_ptr);
   if (!main_thread_task_runner_->BelongsToCurrentThread()) {
+    // Note: we must construct the base::string16 here and pass that. Otherwise,
+    // the WebString will be passed, leading to references to the StringImpl
+    // from two threads, which is a data race.
     main_thread_task_runner_->PostTask(
         FROM_HERE, base::Bind(&WebMessagePortChannelImpl::SendPostMessage, this,
-                              message, base::Passed(std::move(channels))));
+                              base::Passed(base::string16(message)),
+                              base::Passed(std::move(channels))));
   } else {
     SendPostMessage(message, std::move(channels));
   }