Specifically, the race I'm worried about is: ``` m_ownerThread = ...; // set to non null value some time long ago. T1: VMTraps signal sender thread. T2: VM main execution thread. T1: tmp1 = m_ownerThread.m_ptr; T2: tmp2 = m_ownerThread.m_ptr; T2: m_ownerThread.m_ptr = nullptr; T2: tmp2->deref(); // ref count going from 1->0 T2: ~(tmp2); T1: tmp1->ref(); // UAF ``` Would be helpful if somebody else looked to see if there are errors in my logic here.
(In reply to Saam Barati from comment #0) > Specifically, the race I'm worried about is: > > ``` > m_ownerThread = ...; // set to non null value some time long ago. > T1: VMTraps signal sender thread. > T2: VM main execution thread. > > T1: tmp1 = m_ownerThread.m_ptr; > T2: tmp2 = m_ownerThread.m_ptr; > T2: m_ownerThread.m_ptr = nullptr; > T2: tmp2->deref(); // ref count going from 1->0 > T2: ~(tmp2); > T1: tmp1->ref(); // UAF > ``` > > Would be helpful if somebody else looked to see if there are errors in my > logic here. actually, it'd look somewhat different, since we never null out that pointer, we just assign new pointers in, but race still holds I think: ``` m_ownerThread = ...; // set to non null a long time ago T1: VMTraps signal sender thread. T2: VM main execution thread. T1: tmp1 = m_ownerThread.m_ptr; T2: tmp2 = m_ownerThread.m_ptr; T2: m_ownerThread.m_ptr = some other ptr; T2: tmp2->deref(); // ref count going from 1->0 T2: ~(tmp2); T1: tmp1->ref(); // UAF ```
<rdar://problem/47417563>