[webkit-changes] [WebKit/WebKit] d957a6: [JSC] Mitigate null UnlinkedMetadataTable pointer ...

David Degazio noreply at github.com
Wed May 15 16:05:48 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d957a61b2ee955859b873b7c24781b735d8949d1
      https://github.com/WebKit/WebKit/commit/d957a61b2ee955859b873b7c24781b735d8949d1
  Author: David Degazio <d_degazio at apple.com>
  Date:   2024-05-15 (Wed, 15 May 2024)

  Changed paths:
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp
    M Source/JavaScriptCore/bytecode/MetadataTable.cpp
    M Source/JavaScriptCore/bytecode/MetadataTable.h
    M Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h

  Log Message:
  -----------
  [JSC] Mitigate null UnlinkedMetadataTable pointer in CodeBlock destructor
https://bugs.webkit.org/show_bug.cgi?id=272787
rdar://121747906

Reviewed by Yusuke Suzuki.

Attempts to fix a rare bug where the UnlinkedMetadataTable pointer accessed
in the CodeBlock destructor can become null. We think this may be due to a
series of thread-unsafe reference count operations that might allow the
destructor to happen twice, perhaps simultaneously on two threads. This
patch attempts to mitigate this by:

 1. Making UnlinkedMetadataTable and MetadataTable thread-safe refcounted.

 2. Checking for the presence of a null UnlinkedMetadataTable pointer in the
    appropriate functions, and attempting to handle it nonfatally. This means
    we skip updating the didOptimize state in the CodeBlock destructor, and
    that we intentionally leak MetadataTables if they have this null pointer.

* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::~CodeBlock):
* Source/JavaScriptCore/bytecode/MetadataTable.cpp:
(JSC::MetadataTable::destroy):
(JSC::MetadataTable::sizeInBytesForGC):
* Source/JavaScriptCore/bytecode/MetadataTable.h:
(JSC::MetadataTable::forEachValueProfile):
(JSC::MetadataTable::valueProfileForOffset):
(JSC::MetadataTable::deref):
(JSC::MetadataTable::unlinkedMetadata const):
(JSC::MetadataTable::totalSize const):
* Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h:

Originally-landed-as: 4cac7925aca4. rdar://128091467
Canonical link: https://commits.webkit.org/278832@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list