[Webkit-unassigned] [Bug 167344] New: InferredTypeTable entry manipulation is not TOCTOU race safe

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 23 17:17:27 PST 2017


            Bug ID: 167344
           Summary: InferredTypeTable entry manipulation is not TOCTOU
                    race safe
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

InferredTypeTable.cpp has Time of Check, Time of Use (TOCTOU) races in code that accesses and modifies the values stored in the table.  Consider:

void InferredTypeTable::visitChildren(JSCell* cell, SlotVisitor& visitor)
    InferredTypeTable* inferredTypeTable = jsCast<InferredTypeTable*>(cell);

    ConcurrentJSLocker locker(inferredTypeTable->m_lock);

    for (auto& entry : inferredTypeTable->m_table) {
        if (!entry.value)
        if (entry.value->isRelevant())

Between the null check at the top of the loop and call to isRelevant(), the entry can be cleared by another thread.


You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170124/f18759d8/attachment.html>

More information about the webkit-unassigned mailing list