[Webkit-unassigned] [Bug 182365] New: [JSCOnly] Ensure RunLoop::Timer is robust to being deleted inside its user callback

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jan 31 16:54:47 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=182365

            Bug ID: 182365
           Summary: [JSCOnly] Ensure RunLoop::Timer is robust to being
                    deleted inside its user callback
           Product: WebKit
           Version: Other
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Web Template Framework
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at igalia.com
                CC: utatane.tea at gmail.com

Ensure RunLoop::Timer is robust to being deleted inside its user callback. This is a theoretical issue that I noticed as the result of an actual use-after-free caught by asan in WPE and GTK. See bug #182271. It's not actually possible to test the original reproducer using JSCOnly, because it was a WebKit-layer problem.

I'm going to attach a totally-untested, speculative fix for the theoretical issue. I think it's correct.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180201/878c869b/attachment.html>


More information about the webkit-unassigned mailing list