[Webkit-unassigned] [Bug 167344] New: InferredTypeTable entry manipulation is not TOCTOU race safe

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 23 17:17:27 PST 2017


https://bugs.webkit.org/show_bug.cgi?id=167344

            Bug ID: 167344
           Summary: InferredTypeTable entry manipulation is not TOCTOU
                    race safe
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: msaboff at apple.com

InferredTypeTable.cpp has Time of Check, Time of Use (TOCTOU) races in code that accesses and modifies the values stored in the table.  Consider:

void InferredTypeTable::visitChildren(JSCell* cell, SlotVisitor& visitor)
{
    InferredTypeTable* inferredTypeTable = jsCast<InferredTypeTable*>(cell);

    ConcurrentJSLocker locker(inferredTypeTable->m_lock);

    for (auto& entry : inferredTypeTable->m_table) {
        if (!entry.value)
            continue;
        if (entry.value->isRelevant())
            visitor.append(entry.value);
        else
            entry.value.clear();
    }
}

Between the null check at the top of the loop and call to isRelevant(), the entry can be cleared by another thread.

<rdar://problem/30156092>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170124/f18759d8/attachment.html>


More information about the webkit-unassigned mailing list