[Webkit-unassigned] [Bug 199053] New: [bmalloc] IsoHeap's initialization is racy with IsoHeap::isInitialized
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 19 18:39:31 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=199053
Bug ID: 199053
Summary: [bmalloc] IsoHeap's initialization is racy with
IsoHeap::isInitialized
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ysuzuki at apple.com
Allocator offset is configured before deallocator offset is configured.
But isInitialized just checks Allocator offset.
As a result, if there are two thread A and B,
1. A has just initialized IsoHeap's allocator offset.
2. B sees it and B think IsoHeap is initialized
3. B does `std::max(handle.allocatorOffset(), handle.deallocatorOffset())`
4. Since deallocator offset is not configured yet at (1)'s point, it returns `0 - 1` => 0xffffffff
5. (3)'s result becomes 0xffffffff
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190620/335adb6e/attachment.html>
More information about the webkit-unassigned
mailing list