[Webkit-unassigned] [Bug 182365] New: [JSCOnly] Ensure RunLoop::Timer is robust to being deleted inside its user callback
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jan 31 16:54:47 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=182365
Bug ID: 182365
Summary: [JSCOnly] Ensure RunLoop::Timer is robust to being
deleted inside its user callback
Product: WebKit
Version: Other
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: Web Template Framework
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
CC: utatane.tea at gmail.com
Ensure RunLoop::Timer is robust to being deleted inside its user callback. This is a theoretical issue that I noticed as the result of an actual use-after-free caught by asan in WPE and GTK. See bug #182271. It's not actually possible to test the original reproducer using JSCOnly, because it was a WebKit-layer problem.
I'm going to attach a totally-untested, speculative fix for the theoretical issue. I think it's correct.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180201/878c869b/attachment.html>
More information about the webkit-unassigned
mailing list