[Webkit-unassigned] [Bug 273228] New: Disable use-after-return checking to fix JSC GC on ASan builds

Wed Apr 24 21:09:59 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=273228

            Bug ID: 273228
           Summary: Disable use-after-return checking to fix JSC GC on
                    ASan builds
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Tools / Tests
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ddkilzer at webkit.org

Disable use-after-return checking to fix JSC garbage collection on ASan builds.

ASan use-after-return (UAR) checking allocates objects on a "fake stack" in order to detect UAR issues, but the JavaScriptCore garbage collector knows nothing of the "fake stack" (and thus does not scan it for live objects).  The garbage collector then assumes any object in the "fake stack" is no longer being referenced and can be freed, which results in false-positive use-after-free crashes.

The temporary fix is to disable use-after-return checking at compile time using `-fsanitize-address-use-after-return=never`.

At some point if ASan provides API to scan its "fake stack", JSC GC could scan that on ASan builds, and this change could be reverted.

<rdar://126269133>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240425/032a786f/attachment.htm>