Title: [213930] trunk/Source/_javascript_Core
- Revision
- 213930
- Author
- mark....@apple.com
- Date
- 2017-03-14 12:29:26 -0700 (Tue, 14 Mar 2017)
Log Message
Add a null check in VMTraps::willDestroyVM() to handle a race condition.
https://bugs.webkit.org/show_bug.cgi?id=169620
Reviewed by Filip Pizlo.
There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
from its m_signalSenders list) and SignalSender::send() (which removes itself
from the list). In the event that SignalSender::send() removes itself between
the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
with a NULL sender pointer. The fix is to add the missing null check before using
the sender pointer.
* runtime/VMTraps.cpp:
(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::fireTrap):
* runtime/VMTraps.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (213929 => 213930)
--- trunk/Source/_javascript_Core/ChangeLog 2017-03-14 19:22:33 UTC (rev 213929)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-03-14 19:29:26 UTC (rev 213930)
@@ -1,5 +1,25 @@
2017-03-14 Mark Lam <mark....@apple.com>
+ Add a null check in VMTraps::willDestroyVM() to handle a race condition.
+ https://bugs.webkit.org/show_bug.cgi?id=169620
+
+ Reviewed by Filip Pizlo.
+
+ There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
+ from its m_signalSenders list) and SignalSender::send() (which removes itself
+ from the list). In the event that SignalSender::send() removes itself between
+ the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
+ time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
+ with a NULL sender pointer. The fix is to add the missing null check before using
+ the sender pointer.
+
+ * runtime/VMTraps.cpp:
+ (JSC::VMTraps::willDestroyVM):
+ (JSC::VMTraps::fireTrap):
+ * runtime/VMTraps.h:
+
+2017-03-14 Mark Lam <mark....@apple.com>
+
Gardening: Speculative build fix for CLoop after r213886.
https://bugs.webkit.org/show_bug.cgi?id=169436
Modified: trunk/Source/_javascript_Core/runtime/VMTraps.cpp (213929 => 213930)
--- trunk/Source/_javascript_Core/runtime/VMTraps.cpp 2017-03-14 19:22:33 UTC (rev 213929)
+++ trunk/Source/_javascript_Core/runtime/VMTraps.cpp 2017-03-14 19:29:26 UTC (rev 213930)
@@ -403,6 +403,8 @@
void VMTraps::willDestroyVM()
{
+ m_isShuttingDown = true;
+ WTF::storeStoreFence();
#if ENABLE(SIGNAL_BASED_VM_TRAPS)
while (!m_signalSenders.isEmpty()) {
RefPtr<SignalSender> sender;
@@ -413,9 +415,12 @@
// to acquire these locks in the opposite order.
auto locker = holdLock(m_lock);
sender = m_signalSenders.takeAny();
+ if (!sender)
+ break;
}
sender->willDestroyVM();
}
+ ASSERT(m_signalSenders.isEmpty());
#endif
}
@@ -476,6 +481,7 @@
ASSERT(!vm().currentThreadIsHoldingAPILock());
{
auto locker = holdLock(m_lock);
+ ASSERT(!m_isShuttingDown);
setTrapForEvent(locker, eventType);
m_needToInvalidatedCodeBlocks = true;
}
Modified: trunk/Source/_javascript_Core/runtime/VMTraps.h (213929 => 213930)
--- trunk/Source/_javascript_Core/runtime/VMTraps.h 2017-03-14 19:22:33 UTC (rev 213929)
+++ trunk/Source/_javascript_Core/runtime/VMTraps.h 2017-03-14 19:29:26 UTC (rev 213930)
@@ -167,6 +167,7 @@
BitField m_trapsBitField;
};
bool m_needToInvalidatedCodeBlocks { false };
+ bool m_isShuttingDown { false };
#if ENABLE(SIGNAL_BASED_VM_TRAPS)
HashSet<RefPtr<SignalSender>> m_signalSenders;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
