[Webkit-unassigned] [Bug 90849] New: Threadsafety issues in WebScriptObject
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 9 23:20:29 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=90849
Summary: Threadsafety issues in WebScriptObject
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore JavaScript
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
WebScriptObject maintains a NSMap of wrapper objects. A race condition exists between a wrapper being retrieved from the map, and being released - if the final release on an object is called between a call to getJSWrapper and the subsequent retain, we may end up with a stale object reference.
We can make this safe by hoisting the removal from the map from delloc up into release (if the retainCount is 1), and locking release against retrieval from the map. Since release may be called from another thread, and NSMap is not threadsafe, we'd better lock around all access to the map (this fix already necessitates get & remove to be locked, so this just adds 'add', too).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list