LayoutTest workers/bomb.html is a Crash
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Jul 2017 05:18:15 +0000 (05:18 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Jul 2017 05:18:15 +0000 (05:18 +0000)
commit31d71c98885771dc516fbd8d5d9869718887729f
treeda2162f4154ec9a5b9234830137c2bf90e212eb1
parentd9b3e3f5837e9fd980416605d624aaff74039c72
LayoutTest workers/bomb.html is a Crash
https://bugs.webkit.org/show_bug.cgi?id=167757
<rdar://problem/33086462>

Reviewed by Keith Miller.

Source/JavaScriptCore:

VMTraps::SignalSender was accessing VM fields even after
the VM was destroyed. This happened when the SignalSender
thread was in the middle of its work() function while VMTraps
was notified that the VM was shutting down. The VM would proceed
to run its destructor even after the SignalSender thread finished
doing its work. This means that the SignalSender thread was accessing
VM field eve after VM was destructed (including itself, since it is
transitively owned by the VM). The VM must wait for the SignalSender
thread to shutdown before it can continue to destruct itself.

* runtime/VMTraps.cpp:
(JSC::VMTraps::willDestroyVM):

Source/WTF:

* wtf/AutomaticThread.cpp:
(WTF::AutomaticThreadCondition::waitFor):
* wtf/AutomaticThread.h:

LayoutTests:

* platform/mac-wk2/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@219114 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/platform/mac-wk2/TestExpectations
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/VMTraps.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/AutomaticThread.cpp
Source/WTF/wtf/AutomaticThread.h