[Webkit-unassigned] [Bug 130122] W32: Use-after-free in WTF threading code
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 11 10:41:53 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=130122
Alexey Proskuryakov <ap at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |achristensen at apple.com,
| |ap at webkit.org,
| |bfulgham at webkit.org,
| |ggaren at apple.com,
| |roger_fong at apple.com
--- Comment #3 from Alexey Proskuryakov <ap at webkit.org> 2014-04-11 10:42:12 PST ---
I'm not convinced about the root cause. There is no way ThreadSpecificThreadExit() could possibly change the value of invocation - it's an object allocated on the stack. It also cannot touch ThreadFunctionInvocation - first, it doesn't delete heap objects, and second, this particular object was created on a different thread in the first place.
Perhaps FastMalloc becomes entirely unusable after ThreadSpecificThreadExit()? That seems possible, and if so, the fix would address the crash. It may be that a better fix would be inside FastMalloc code.
Could you please post steps to reproduce this crash?
See also: bug 44137.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list