Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3a7cb2ff43f8ceaf7c6ecede70c78b66121de0a3
https://github.com/WebKit/WebKit/commit/3a7cb2ff43f8ceaf7c6ecede70c78b66121de0a3
Author: Chris Dumez <[email protected]>
Date: 2026-03-23 (Mon, 23 Mar 2026)
Changed paths:
M Source/WTF/wtf/ThreadSafeWeakPtr.h
Log Message:
-----------
Fix missing memory fence in
ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr::deref()
https://bugs.webkit.org/show_bug.cgi?id=310500
Reviewed by Keith Miller.
The strong-only deref path used memory_order_relaxed for the CAS that
decrements the ref count. When the count reached zero, the only fence
before object deletion was a seq_cst exchangeOr hidden inside an ASSERT,
meaning it was compiled out in release builds.
Without proper ordering, on ARM, the thread performing the deletion may
not see writes made by other threads before they released their
references, potentially causing the destructor to observe stale state.
Fix this using the standard release/acquire pattern for ref counting:
- Use memory_order_release on the decrement so each thread's writes to
the object are published before its count change becomes visible.
- Add an acquire fence before deletion so the deleting thread
synchronizes with all prior release decrements, making every other
thread's writes visible before the destructor runs.
This matches the pattern used by std::shared_ptr implementations. The
ref() increment correctly remains memory_order_relaxed since the caller
already holds a valid reference.
* Source/WTF/wtf/ThreadSafeWeakPtr.h:
(WTF::ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr::deref const):
Canonical link: https://commits.webkit.org/309739@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
