Delay client registration of MessagePort to MessagePortChannel
MessagePort used to be registered to MessagePortChannel on entangle(),
and be unregisted when the ExecutionContext is stopped or MessagePort
is swept by GC. Once its start() is called, its hasPendingActivity()
will be true and that extends the MessagePort lifetime to stop() or close() call.
However, there's a time gap between the MessagePort instance is marked
as unreachable, and swept by GC system. If MessagePortChannel accesses
the MessagePort in this period, that causes use-after-poison crash.
I.e. there are two pattern of the life of MessagePort.
1. entangle() + register -> gets unreachable -(poisoned period)-> swept + unregister
2. entangle() + register -> start() -> stop() + unregister
3. entangle() + register -> start() -> close() + unregister
(2) and (3) cases are OK, while (1) has a dangerous period.
This CL delays the registration from entangle() to start(), so that
the case (1) doesn't register the MessagePort to MessagePortChannel at all.
BUG=627457
Review-Url: https://codereview.chromium.org/2143003003
Cr-Commit-Position: refs/heads/master@{#405450}
1 file changed
