[webkit-changes] [WebKit/WebKit] cf8997: [JSC] Prevent GC from collecting plan dependencies...

[Dan Hecht]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cf8997ca4715f44b3a402db14914b720c29772c9
      https://github.com/WebKit/WebKit/commit/cf8997ca4715f44b3a402db14914b720c29772c9
  Author: Dan Hecht <dan.hecht at apple.com>
  Date:   2024-07-24 (Wed, 24 Jul 2024)

  Changed paths:
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/dfg/DFGGraphSafepoint.cpp
    M Source/JavaScriptCore/dfg/DFGGraphSafepoint.h
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/ftl/FTLCompile.cpp
    M Source/JavaScriptCore/jit/BaselineJITPlan.cpp
    M Source/JavaScriptCore/jit/JITPlan.cpp
    M Source/JavaScriptCore/jit/JITPlan.h
    M Source/JavaScriptCore/jit/JITSafepoint.cpp
    M Source/JavaScriptCore/jit/JITSafepoint.h
    M Source/JavaScriptCore/jit/JITWorklistThread.h

  Log Message:
  -----------
  [JSC] Prevent GC from collecting plan dependencies while inside B3::generate()
https://bugs.webkit.org/show_bug.cgi?id=276911
rdar://122517397

Reviewed by Yusuke Suzuki.

B3::generate() is executed inside a safepoint, meaning the GC is allowed
to run concurrently. However, patchpoint generation may reference GCed
objects, potentially leading to UAF.

Change 272710 at main reduced the race window between GC and patchpoint
generation for a known case, however the window was not eliminated.

In order to elminate this race, extend the Safepoint mechanism to
include a mode where GC is allowed to run but the current plan's
dependencies are kept live during the safepoint. Then use this in
the safepoint around B3::generate() so that patchpoints can safely
access dependencies of the plan while the GC is still allowed to
collect/cancel other plans and unrelated objects.

Note that in practice, marking the plan's dependencies as live also
means that this plan will not be canceled during this safepoint,
since the liveness predicates for determining whether a plan can be
canceled are themselves dependencies of the plan. So the tradeoff to
allowing B3::generate() to run inside a safepoint is that the current
plan cannot be canceled during a GC cycle that completes during the
B3::generate() safepoint. Make this implication explicit with some asserts.

Revert most of 272710 at main except for its test case which continues to
be the regression test for this race.

* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::globalObjectFor):
* Source/JavaScriptCore/dfg/DFGGraphSafepoint.cpp:
(JSC::DFG::GraphSafepoint::GraphSafepoint):
* Source/JavaScriptCore/dfg/DFGGraphSafepoint.h:
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cancel):
(JSC::DFG::Plan::isKnownToBeLiveDuringGC):
(JSC::DFG::Plan::isKnownToBeLiveAfterGC):
* Source/JavaScriptCore/ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* Source/JavaScriptCore/jit/BaselineJITPlan.cpp:
(JSC::BaselineJITPlan::compileInThreadImpl):
* Source/JavaScriptCore/jit/JITPlan.cpp:
(JSC::JITPlan::cancel):
(JSC::JITPlan::safepointKeepsDependenciesLive const):
* Source/JavaScriptCore/jit/JITPlan.h:
* Source/JavaScriptCore/jit/JITSafepoint.cpp:
(JSC::Safepoint::isKnownToBeLiveDuringGC):
(JSC::Safepoint::keepDependenciesLive const):
* Source/JavaScriptCore/jit/JITSafepoint.h:
* Source/JavaScriptCore/jit/JITWorklistThread.h:

Canonical link: https://commits.webkit.org/281300@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications