Bug 305440
| Summary: | Fix a race condition with the setting of VM::m_hasTerminationRequest. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Lam <mark.lam> |
| Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Mark Lam
VM::notifyNeedTermination() was calling setHasTerminationRequest() followed by setting the VMTraps::NeedTermination trap bit. The code expects m_hasTerminationRequest to be set while a NeedTermination trap is being processed. VM::notifyNeedTermination() can be called from the main thread.
However, on the worker thread, VM::executeEntryScopeServicesOnExit() will clearHasTerminationRequest() if the trap bit is not already set. If VM::notifyNeedTermination() is called between these 2 operations, we will effectively clear the m_hasTerminationRequest while the NeedTermination trap bit is set. This breaks the invariant that expects m_hasTerminationRequest to still be set.
In fact, there really wasn't a need to setHasTerminationRequest() from VM::notifyNeedTermination(). We can just set it inside VMTraps::handleTraps() when we know that we need to process a termination. VMTraps::handleTraps() is only called from the mutator thread, which is the worker thread in this case. This will completely remove the race.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/168110635>
Mark Lam
Pull request: https://github.com/WebKit/Webkit/pull/56535
EWS
Committed 305643@main (23922a766f07): <https://commits.webkit.org/305643@main>
Reviewed commits have been landed. Closing PR #56535 and removing active labels.