Add a null check in VMTraps::willDestroyVM() to handle a race condition.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Mar 2017 19:29:26 +0000 (19:29 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Mar 2017 19:29:26 +0000 (19:29 +0000)
commit12a2e71f598a2eb045085d201824496584865904
treee19faa0df5724e3bdaebbd74cce816d14e152c49
parent372dcff98aa3164939f5d3eadcf370b2d66f6497
Add a null check in VMTraps::willDestroyVM() to handle a race condition.
https://bugs.webkit.org/show_bug.cgi?id=169620

Reviewed by Filip Pizlo.

There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
from its m_signalSenders list) and SignalSender::send() (which removes itself
from the list).  In the event that SignalSender::send() removes itself between
the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
with a NULL sender pointer.  The fix is to add the missing null check before using
the sender pointer.

* runtime/VMTraps.cpp:
(JSC::VMTraps::willDestroyVM):
(JSC::VMTraps::fireTrap):
* runtime/VMTraps.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@213930 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/VMTraps.cpp
Source/JavaScriptCore/runtime/VMTraps.h