Bug 169620

Summary: Add a null check in VMTraps::willDestroyVM() to handle a race condition.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, keith_miller, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
none
proposed patch: rebased to ToT. fpizlo: review+

Description Mark Lam 2017-03-14 12:12:25 PDT 
There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders from its m_signalSenders list) and SignalSender::send() (which removes itself from the list).  In the event that SignalSender::send() removes itself between the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up with a NULL sender pointer.  The fix is add the missing null check before using the sender pointer.
Comment 1 Mark Lam 2017-03-14 12:16:35 PDT 
<rdar://problem/31022072>
Comment 2 Mark Lam 2017-03-14 12:19:42 PDT 
Created attachment 304411 [details]
proposed patch.
Comment 3 Mark Lam 2017-03-14 12:22:58 PDT 
Created attachment 304412 [details]
proposed patch: rebased to ToT.
Comment 4 Mark Lam 2017-03-14 12:30:06 PDT 
Thanks for the review.  Landed in r213930: <http://trac.webkit.org/r213930>.