[Webkit-unassigned] [Bug 238493] IPC::Connection::UniqueID is not possible to use in thread safe manner

Wed Mar 30 01:01:29 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=238493

--- Comment #2 from Kimmo Kinnunen <kkinnunen at apple.com> ---
IPC::Connection::send(UniqueID, ..) uses a lock to ensure that the instance is not deleted.

However, the instance could already be in its destructor when the lock is taken.

consider UniqueID==1, Connection instance = 0x1234

Thread A:

template<typename T>
bool Connection::send(UniqueID connectionID, T&& message, uint64_t destinationID, OptionSet<SendOption> sendOptions, std::optional<Thread::QOS> qos)
{
    Locker locker { s_connectionMapLock };
    auto* connection = connectionMap().get(connectionID);
    if (!connection)
        return false;
    return connection->send(WTFMove(message), destinationID, sendOptions, qos); // <-- THREAD A here inside this for this=0x1234
}

Thread b:

Connection::~Connection()
{
    // <--Thread B HERE for this=0x1234

    ASSERT(RunLoop::isMain());
    ASSERT(!isValid());

    {
        Locker locker { s_connectionMapLock };
        connectionMap().remove(m_uniqueID);
    }

    clearAsyncReplyHandlers(*this);
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220330/3cc4fcc8/attachment-0001.htm>