[webkit-changes] [WebKit/WebKit] d957a6: [JSC] Mitigate null UnlinkedMetadataTable pointer ...
David Degazio
noreply at github.com
Wed May 15 16:05:48 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d957a61b2ee955859b873b7c24781b735d8949d1
https://github.com/WebKit/WebKit/commit/d957a61b2ee955859b873b7c24781b735d8949d1
Author: David Degazio <d_degazio at apple.com>
Date: 2024-05-15 (Wed, 15 May 2024)
Changed paths:
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecode/MetadataTable.cpp
M Source/JavaScriptCore/bytecode/MetadataTable.h
M Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h
Log Message:
-----------
[JSC] Mitigate null UnlinkedMetadataTable pointer in CodeBlock destructor
https://bugs.webkit.org/show_bug.cgi?id=272787
rdar://121747906
Reviewed by Yusuke Suzuki.
Attempts to fix a rare bug where the UnlinkedMetadataTable pointer accessed
in the CodeBlock destructor can become null. We think this may be due to a
series of thread-unsafe reference count operations that might allow the
destructor to happen twice, perhaps simultaneously on two threads. This
patch attempts to mitigate this by:
1. Making UnlinkedMetadataTable and MetadataTable thread-safe refcounted.
2. Checking for the presence of a null UnlinkedMetadataTable pointer in the
appropriate functions, and attempting to handle it nonfatally. This means
we skip updating the didOptimize state in the CodeBlock destructor, and
that we intentionally leak MetadataTables if they have this null pointer.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::~CodeBlock):
* Source/JavaScriptCore/bytecode/MetadataTable.cpp:
(JSC::MetadataTable::destroy):
(JSC::MetadataTable::sizeInBytesForGC):
* Source/JavaScriptCore/bytecode/MetadataTable.h:
(JSC::MetadataTable::forEachValueProfile):
(JSC::MetadataTable::valueProfileForOffset):
(JSC::MetadataTable::deref):
(JSC::MetadataTable::unlinkedMetadata const):
(JSC::MetadataTable::totalSize const):
* Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h:
Originally-landed-as: 4cac7925aca4. rdar://128091467
Canonical link: https://commits.webkit.org/278832@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list