Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 23922a766f070f42e408f607b37e0a47612b00e2
https://github.com/WebKit/WebKit/commit/23922a766f070f42e408f607b37e0a47612b00e2
Author: Mark Lam <[email protected]>
Date: 2026-01-15 (Thu, 15 Jan 2026)
Changed paths:
M Source/JavaScriptCore/runtime/VM.cpp
M Source/JavaScriptCore/runtime/VM.h
M Source/JavaScriptCore/runtime/VMTraps.cpp
Log Message:
-----------
Fix a race condition with the setting of VM::m_hasTerminationRequest.
https://bugs.webkit.org/show_bug.cgi?id=305440
rdar://168110635
Reviewed by Yusuke Suzuki.
VM::notifyNeedTermination() was calling setHasTerminationRequest() followed by
setting the
VMTraps::NeedTermination trap bit. The code expects m_hasTerminationRequest to
be set while
a NeedTermination trap is being processed. VM::notifyNeedTermination() can be
called from
the main thread.
However, on the worker thread, VM::executeEntryScopeServicesOnExit() will
clearHasTerminationRequest()
if the trap bit is not already set. If VM::notifyNeedTermination() is called
between these 2
operations, we will effectively clear the m_hasTerminationRequest while the
NeedTermination
trap bit is set. This breaks the invariant that expects
m_hasTerminationRequest to still be set.
In fact, there really wasn't a need to setHasTerminationRequest() from
VM::notifyNeedTermination().
We can just set it inside VMTraps::handleTraps() when we know that we need to
process a termination.
VMTraps::handleTraps() is only called from the mutator thread, which is the
worker thread in this
case. This will completely remove the race.
Also removed the `!exception` condition from the ASSERT in VM::setException().
We should never
be calling VM::setException() with a nullptr. This is stale code from back
when we didn't have
a distinct VM::clearException() function.
No new test because This issue can only manifest if a termination request
happen to land in time
between 2 statements being executed in the worker thread. It is exceedingly
difficult to reproduce
this race condition in order to write a test.
* Source/JavaScriptCore/runtime/VM.cpp:
(JSC::VM::setHasTerminationRequest):
(JSC::VM::setException):
* Source/JavaScriptCore/runtime/VM.h:
(JSC::VM::hasTerminationRequest const):
(JSC::VM::notifyNeedTermination):
(JSC::VM::setHasTerminationRequest): Deleted.
* Source/JavaScriptCore/runtime/VMTraps.cpp:
(JSC::VMTraps::handleTraps):
Canonical link: https://commits.webkit.org/305643@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
