WebKit Bugzilla
Attachment 362221 Details for
Bug 194750
: Mach exception handler could see uninitialized handler
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-194750-20190216145620.patch (text/plain), 4.85 KB, created by
Keith Miller
on 2019-02-16 14:56:22 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-02-16 14:56:22 PST
Size:
4.85 KB
patch
obsolete
>Subversion Revision: 241632 >diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog >index af993227756a028a20044760ade9b421a555e55e..3915bad9ee9db40dfacd972602f895a36a7d00c0 100644 >--- a/Source/WTF/ChangeLog >+++ b/Source/WTF/ChangeLog >@@ -1,3 +1,28 @@ >+2019-02-16 Keith Miller <keith_miller@apple.com> >+ >+ Mach exception handler could see uninitialized handler >+ https://bugs.webkit.org/show_bug.cgi?id=194750 >+ <rdar://problem/47629892> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ If we register a mach exception handler for some exception type, >+ say illegal instruction, we will initialize the Bag of handlers >+ only for that exception type. If we see a different exception >+ type, say bad access, we know how to handler but did not register >+ a handler for, then we will dereference the uninitialized Bag for >+ bad access and get a nullptr dereference. >+ >+ This patch makes it so that we intialize all know handler bags >+ when registering the first exception type. >+ >+ * wtf/NeverDestroyed.h: >+ (WTF::LazyNeverDestroyed::operator[]): >+ (WTF::LazyNeverDestroyed::operator[] const): >+ * wtf/threads/Signals.cpp: >+ (WTF::installSignalHandler): >+ (WTF::jscSignalHandler): >+ > 2019-02-15 Ross Kirsling <ross.kirsling@sony.com> > > [WTF] Add environment variable helpers >diff --git a/Source/WTF/wtf/NeverDestroyed.h b/Source/WTF/wtf/NeverDestroyed.h >index c311f136ff5e5840ee5f49ee5f718686187d64c7..b3f47522ee56884551fb1ec0191db93079aab45f 100644 >--- a/Source/WTF/wtf/NeverDestroyed.h >+++ b/Source/WTF/wtf/NeverDestroyed.h >@@ -115,6 +115,12 @@ public: > bool isConstructed() const { return m_isConstructed; } > #endif > >+ template<typename Index> >+ auto& operator[](Index t) { return get()[t]; } >+ >+ template<typename Index> >+ const auto& operator[](Index t) const { return get()[t]; } >+ > private: > using PointerType = typename std::remove_const<T>::type*; > >diff --git a/Source/WTF/wtf/threads/Signals.cpp b/Source/WTF/wtf/threads/Signals.cpp >index fcd0f1d68faece8340c79b4e6c5db071b0a11234..ce406b00c52fa6d27994fc8fe22b0655de1c5ad9 100644 >--- a/Source/WTF/wtf/threads/Signals.cpp >+++ b/Source/WTF/wtf/threads/Signals.cpp >@@ -34,6 +34,7 @@ extern "C" { > }; > #endif > >+#include <array> > #include <cstdio> > #include <mutex> > #include <signal.h> >@@ -56,8 +57,7 @@ extern "C" { > namespace WTF { > > >-static LazyNeverDestroyed<LocklessBag<SignalHandler>> handlers[static_cast<size_t>(Signal::NumberOfSignals)] = { }; >-static std::once_flag initializeOnceFlags[static_cast<size_t>(Signal::NumberOfSignals)]; >+static LazyNeverDestroyed<std::array<LocklessBag<SignalHandler>, static_cast<size_t>(Signal::NumberOfSignals)>> handlers = { }; > static struct sigaction oldActions[static_cast<size_t>(Signal::NumberOfSignals)]; > > #if HAVE(MACH_EXCEPTIONS) >@@ -178,7 +178,7 @@ kern_return_t catch_mach_exception_raise_state( > } > > bool didHandle = false; >- handlers[static_cast<size_t>(signal)]->iterate([&] (const SignalHandler& handler) { >+ handlers[static_cast<size_t>(signal)].iterate([&] (const SignalHandler& handler) { > SignalAction handlerResult = handler(signal, info, registers); > didHandle |= handlerResult == SignalAction::Handled; > }); >@@ -243,6 +243,12 @@ static void jscSignalHandler(int, siginfo_t*, void*); > void installSignalHandler(Signal signal, SignalHandler&& handler) > { > ASSERT(signal < Signal::Unknown); >+ >+ static std::once_flag handlersFlag; >+ std::call_once(handlersFlag, [] { >+ handlers.construct(); >+ }); >+ > #if HAVE(MACH_EXCEPTIONS) > ASSERT(!useMach || signal != Signal::Usr); > >@@ -250,9 +256,8 @@ void installSignalHandler(Signal signal, SignalHandler&& handler) > startMachExceptionHandlerThread(); > #endif > >+ static std::once_flag initializeOnceFlags[static_cast<size_t>(Signal::NumberOfSignals)]; > std::call_once(initializeOnceFlags[static_cast<size_t>(signal)], [&] { >- handlers[static_cast<size_t>(signal)].construct(); >- > if (!useMach) { > struct sigaction action; > action.sa_sigaction = jscSignalHandler; >@@ -271,7 +276,7 @@ void installSignalHandler(Signal signal, SignalHandler&& handler) > > }); > >- handlers[static_cast<size_t>(signal)]->add(WTFMove(handler)); >+ handlers[static_cast<size_t>(signal)].add(WTFMove(handler)); > > #if HAVE(MACH_EXCEPTIONS) > auto locker = holdLock(activeThreads().getLock()); >@@ -312,7 +317,7 @@ void jscSignalHandler(int sig, siginfo_t* info, void* ucontext) > > bool didHandle = false; > bool restoreDefaultHandler = false; >- handlers[static_cast<size_t>(signal)]->iterate([&] (const SignalHandler& handler) { >+ handlers[static_cast<size_t>(signal)].iterate([&] (const SignalHandler& handler) { > switch (handler(signal, sigInfo, registers)) { > case SignalAction::Handled: > didHandle = true;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=362221">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194750
: 362221