[Webkit-unassigned] [Bug 234188] New: Automatically forbid JS execution when we throw a TerminationException.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 10 17:10:26 PST 2021
https://bugs.webkit.org/show_bug.cgi?id=234188
Bug ID: 234188
Summary: Automatically forbid JS execution when we throw a
TerminationException.
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
For Worker threads, we throw a TerminationException when Worker.terminate() is called. Once the TerminationException is thrown, we expect to completely unwind out of any JS frames on the stack, and we also expect the client to never call into JS again. Previously, WebCore will call VM:setExecutionForbidden() to flag that we should not re-enter the VM anymore. On JSC side, this executionForbidden() is used to prevent micro-tasks from firing. On WebCore side, it is used to prevent many things from running, including firing events.
Previously, we reply on WebCore side to catch the TerminationException, determine that it is the TerminationException, and then call VM:setExecutionForbidden(). This is tedious and error prone as there may be places in WebCore that should call VM:setExecutionForbidden() but is missed. This has been the source of some bugs with the handling of the Worker termination in the past.
In this patch, we change VM to setExecutionForbidden() immediately if when we throw the TerminationException, but only if VM::m_forbidExecutionOnTermination is set. Currently, we'll only set VM:m_forbidExecutionOnTermination for Workers because for legacy reasons, other clients of JSC has the ability to re-enter the VM after a TerminationException unwinds out (which is ok to do when used under some controlled conditions). Until we can determine that it is safe to adopt this "forbid execution on termination behavior" universally, we'll adopt it only for workers.
In a subsequent patch, we can also look into removing all the places in WebCore that checks for TerminationException in order to call VM:setExecutionForbidden(). We'll leave those in place for now though they should be redundant after this patch.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211211/dc49c40f/attachment.htm>
More information about the webkit-unassigned
mailing list