[Webkit-unassigned] [Bug 238871] Multiple uses of ThreadSafeRefCounted and CanMakeWeakPtr with non-thread-safe WeakPtr
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 15 01:58:47 PST 2022
https://bugs.webkit.org/show_bug.cgi?id=238871
--- Comment #12 from youenn fablet <youennf at gmail.com> ---
> A counter-argument here would be that if there's a common pattern that
> frequently leads to security issues, we should consider blocking that
> pattern entirely (ideally at compile time) to prevent future bugs of that
> type.
The general case does not seem too bad to me, you cannot use WeakPtr except in the right thread.
That said, https://github.com/WebKit/WebKit/pull/6078 shows at least one problematic case.
If you have the combo WeakPtr and ThreadSafeRefCounted<DestructionThread::Main>, WeakPtr might hold a valid pointer to a ThreadSafeRefCounted whose count is zero (object is scheduled to be destroyed in main thread but not yet) and we might create a Ref from the WeakPtr during that time.
It would be nice to either fix or outlaw this combo.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221115/00b2edea/attachment.htm>
More information about the webkit-unassigned
mailing list