Do not delete synchronously in OnTaskRunnerDeleter.
Currently OnTaskRunnerDeleter::operator() relies on RunsTasksOnCurrentThread()
method of the TaskRunner. However, the latter has weak guarantees on the
returned value (see the comment to it). It can even always return true.
Therefore, thread-unsafe objects can not be safely deleted under some
circumstances.
The current implementation also makes such a crashing scenario possible. Suppose
there is an Object living in the SequencedTaskRunner and a Task has been posted
to a TaskRunner to access the Object. After that, the deleter has been invoked
and immediately deleted the Object. After that the Task got to execute in the
TaskRunner, and tries to read from a deleted Object => undefined behavior.
Review-Url: https://codereview.chromium.org/2657283002
Cr-Commit-Position: refs/heads/master@{#446920}
CrOS-Libchrome-Original-Commit: 90cdf584494922804c8d0c81a83bcad271645659
diff --git a/base/sequenced_task_runner.h b/base/sequenced_task_runner.h
index 0bedf2e..de91bd9 100644
--- a/base/sequenced_task_runner.h
+++ b/base/sequenced_task_runner.h
@@ -163,9 +163,7 @@
template <typename T>
void operator()(const T* ptr) {
- if (task_runner_->RunsTasksOnCurrentThread())
- delete ptr;
- else if (ptr)
+ if (ptr)
task_runner_->DeleteSoon(FROM_HERE, ptr);
}