Chrome StoragePartitionService Double-Destruction Race

There's a race condition in the destruction of the BindingState for bindings to the StoragePartitionService in Chrome. It looks like the root cause of the issue is that since we can get two concurrent calls to callbacks returned from mojo::BindingSet::GetBadMessageCallback() from the same BindingSet, which results in a data race destroying the same BindingState.

MD5 | 93fdcc784fafeb9f017d38fdf6497ad4

Related Posts