Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d3494187c3d3c1da6f9ca7765489b3ad15e85666
https://github.com/WebKit/WebKit/commit/d3494187c3d3c1da6f9ca7765489b3ad15e85666
Author: Yusuke Suzuki <[email protected]>
Date: 2025-11-05 (Wed, 05 Nov 2025)
Changed paths:
M Source/JavaScriptCore/runtime/VM.h
M Source/JavaScriptCore/runtime/VMManager.cpp
Log Message:
-----------
[JSC] VM::m_isInService should be initialized before VMThreadContext
https://bugs.webkit.org/show_bug.cgi?id=302043
rdar://164088401
Reviewed by Mark Lam.
After VMThreadContext is initialized, VM is exposed to the other
concurrent threads. So any threads can see this VM via
VMManager::forEachVM etc. We are checking `VM::isInService()` before
using in each thread to ensure that VM is already finalizing its
initialization. However this method is reading a bool field
`VM::m_isInService`, and it is initialized after VMThreadContext is
initialized. This means that it is possible that the concurrent thread
will see a stale value which exists from the allocated memory. If it is
not 0, then we accidentally see this VM as in-service while it is not
yet. This patch moves this field ordering to ensure that initialization
of this field is done before initializing VMThreadContext. And we also
ensure that this bool field is `false` when initializing VMThreadContext
since we are not fully initializing VM yet.
* Source/JavaScriptCore/runtime/VM.h:
* Source/JavaScriptCore/runtime/VMManager.cpp:
(JSC::VMThreadContext::VMThreadContext):
Canonical link: https://commits.webkit.org/302617@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
