Changeset 213930 in webkit


Ignore:
Timestamp:
Mar 14, 2017, 12:29:26 PM (8 years ago)
Author:
mark.lam@apple.com
Message:

Add a null check in VMTraps::willDestroyVM() to handle a race condition.
https://bugs.webkit.org/show_bug.cgi?id=169620

Reviewed by Filip Pizlo.

There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
from its m_signalSenders list) and SignalSender::send() (which removes itself
from the list). In the event that SignalSender::send() removes itself between
the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
with a NULL sender pointer. The fix is to add the missing null check before using
the sender pointer.

  • runtime/VMTraps.cpp:

(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::fireTrap):

  • runtime/VMTraps.h:
Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r213904 r213930  
     12017-03-14  Mark Lam  <mark.lam@apple.com>
     2
     3        Add a null check in VMTraps::willDestroyVM() to handle a race condition.
     4        https://bugs.webkit.org/show_bug.cgi?id=169620
     5
     6        Reviewed by Filip Pizlo.
     7
     8        There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
     9        from its m_signalSenders list) and SignalSender::send() (which removes itself
     10        from the list).  In the event that SignalSender::send() removes itself between
     11        the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
     12        time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
     13        with a NULL sender pointer.  The fix is to add the missing null check before using
     14        the sender pointer.
     15
     16        * runtime/VMTraps.cpp:
     17        (JSC::VMTraps::willDestroyVM):
     18        (JSC::VMTraps::fireTrap):
     19        * runtime/VMTraps.h:
     20
    1212017-03-14  Mark Lam  <mark.lam@apple.com>
    222

  • trunk/Source/JavaScriptCore/runtime/VMTraps.cpp

    r213886 r213930  
    404404void VMTraps::willDestroyVM()
    405405{
     406    m_isShuttingDown = true;
     407    WTF::storeStoreFence();
    406408#if ENABLE(SIGNAL_BASED_VM_TRAPS)
    407409    while (!m_signalSenders.isEmpty()) {
     
    414416            auto locker = holdLock(m_lock);
    415417            sender = m_signalSenders.takeAny();
     418            if (!sender)
     419                break;
    416420        }
    417421        sender->willDestroyVM();
    418422    }
     423    ASSERT(m_signalSenders.isEmpty());
    419424#endif
    420425}
     
    477482    {
    478483        auto locker = holdLock(m_lock);
     484        ASSERT(!m_isShuttingDown);
    479485        setTrapForEvent(locker, eventType);
    480486        m_needToInvalidatedCodeBlocks = true;

  • trunk/Source/JavaScriptCore/runtime/VMTraps.h

    r213652 r213930  
    168168    };
    169169    bool m_needToInvalidatedCodeBlocks { false };
     170    bool m_isShuttingDown { false };
    170171
    171172#if ENABLE(SIGNAL_BASED_VM_TRAPS)
Note: See TracChangeset for help on using the changeset viewer.