Bug 169620 - Add a null check in VMTraps::willDestroyVM() to handle a race condition.
Summary: Add a null check in VMTraps::willDestroyVM() to handle a race condition.
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
Keywords: InRadar
Depends on:
Reported: 2017-03-14 12:12 PDT by Mark Lam
Modified: 2017-03-14 12:30 PDT (History)
5 users (show)

See Also:

proposed patch. (2.84 KB, patch)
2017-03-14 12:19 PDT, Mark Lam
no flags Details | Formatted Diff | Diff
proposed patch: rebased to ToT. (2.84 KB, patch)
2017-03-14 12:22 PDT, Mark Lam
fpizlo: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2017-03-14 12:12:25 PDT
There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders from its m_signalSenders list) and SignalSender::send() (which removes itself from the list).  In the event that SignalSender::send() removes itself between the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up with a NULL sender pointer.  The fix is add the missing null check before using the sender pointer.
Comment 1 Mark Lam 2017-03-14 12:16:35 PDT
Comment 2 Mark Lam 2017-03-14 12:19:42 PDT
Created attachment 304411 [details]
proposed patch.
Comment 3 Mark Lam 2017-03-14 12:22:58 PDT
Created attachment 304412 [details]
proposed patch: rebased to ToT.
Comment 4 Mark Lam 2017-03-14 12:30:06 PDT
Thanks for the review.  Landed in r213930: <http://trac.webkit.org/r213930>.