Bug 169620

Summary: Add a null check in VMTraps::willDestroyVM() to handle a race condition.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, keith_miller, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
none
proposed patch: rebased to ToT. fpizlo: review+

Mark Lam
Reported 2017-03-14 12:12:25 PDT
There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders from its m_signalSenders list) and SignalSender::send() (which removes itself from the list). In the event that SignalSender::send() removes itself between the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up with a NULL sender pointer. The fix is add the missing null check before using the sender pointer.
Attachments
proposed patch. (2.84 KB, patch)
2017-03-14 12:19 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch: rebased to ToT. (2.84 KB, patch)
2017-03-14 12:22 PDT, Mark Lam 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2017-03-14 12:16:35 PDT
<rdar://problem/31022072>
Mark Lam
Comment 2 2017-03-14 12:19:42 PDT
Created attachment 304411 [details] proposed patch.
Mark Lam
Comment 3 2017-03-14 12:22:58 PDT
Created attachment 304412 [details] proposed patch: rebased to ToT.
Mark Lam
Comment 4 2017-03-14 12:30:06 PDT
Thanks for the review. Landed in r213930: <http://trac.webkit.org/r213930>.
Note You need to log in before you can comment on or make changes to this bug.