RESOLVED FIXED305440
Fix a race condition with the setting of VM::m_hasTerminationRequest. 
https://bugs.webkit.org/show_bug.cgi?id=305440
Summary Fix a race condition with the setting of VM::m_hasTerminationRequest.
Mark Lam
Reported 2026-01-13 18:35:39 PST
VM::notifyNeedTermination() was calling setHasTerminationRequest() followed by setting the VMTraps::NeedTermination trap bit. The code expects m_hasTerminationRequest to be set while a NeedTermination trap is being processed. VM::notifyNeedTermination() can be called from the main thread. However, on the worker thread, VM::executeEntryScopeServicesOnExit() will clearHasTerminationRequest() if the trap bit is not already set. If VM::notifyNeedTermination() is called between these 2 operations, we will effectively clear the m_hasTerminationRequest while the NeedTermination trap bit is set. This breaks the invariant that expects m_hasTerminationRequest to still be set. In fact, there really wasn't a need to setHasTerminationRequest() from VM::notifyNeedTermination(). We can just set it inside VMTraps::handleTraps() when we know that we need to process a termination. VMTraps::handleTraps() is only called from the mutator thread, which is the worker thread in this case. This will completely remove the race.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-01-13 18:36:12 PST
<rdar://problem/168110635>
Mark Lam
Comment 2 2026-01-13 18:45:30 PST
Pull request: https://github.com/WebKit/Webkit/pull/56535
EWS
Comment 3 2026-01-15 08:13:50 PST
Committed 305643@main (23922a766f07): <https://commits.webkit.org/305643@main> Reviewed commits have been landed. Closing PR #56535 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.