[Webkit-unassigned] [Bug 167344] New: InferredTypeTable entry manipulation is not TOCTOU race safe
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 23 17:17:27 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=167344
Bug ID: 167344
Summary: InferredTypeTable entry manipulation is not TOCTOU
race safe
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: msaboff at apple.com
InferredTypeTable.cpp has Time of Check, Time of Use (TOCTOU) races in code that accesses and modifies the values stored in the table. Consider:
void InferredTypeTable::visitChildren(JSCell* cell, SlotVisitor& visitor)
{
InferredTypeTable* inferredTypeTable = jsCast<InferredTypeTable*>(cell);
ConcurrentJSLocker locker(inferredTypeTable->m_lock);
for (auto& entry : inferredTypeTable->m_table) {
if (!entry.value)
continue;
if (entry.value->isRelevant())
visitor.append(entry.value);
else
entry.value.clear();
}
}
Between the null check at the top of the loop and call to isRelevant(), the entry can be cleared by another thread.
<rdar://problem/30156092>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170124/f18759d8/attachment.html>
More information about the webkit-unassigned
mailing list