Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cf8997ca4715f44b3a402db14914b720c29772c9
https://github.com/WebKit/WebKit/commit/cf8997ca4715f44b3a402db14914b720c29772c9
Author: Dan Hecht <dan.he...@apple.com>
Date: 2024-07-24 (Wed, 24 Jul 2024)
Changed paths:
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/dfg/DFGGraphSafepoint.cpp
M Source/JavaScriptCore/dfg/DFGGraphSafepoint.h
M Source/JavaScriptCore/dfg/DFGPlan.cpp
M Source/JavaScriptCore/ftl/FTLCompile.cpp
M Source/JavaScriptCore/jit/BaselineJITPlan.cpp
M Source/JavaScriptCore/jit/JITPlan.cpp
M Source/JavaScriptCore/jit/JITPlan.h
M Source/JavaScriptCore/jit/JITSafepoint.cpp
M Source/JavaScriptCore/jit/JITSafepoint.h
M Source/JavaScriptCore/jit/JITWorklistThread.h
Log Message:
-----------
[JSC] Prevent GC from collecting plan dependencies while inside B3::generate()
https://bugs.webkit.org/show_bug.cgi?id=276911
rdar://122517397
Reviewed by Yusuke Suzuki.
B3::generate() is executed inside a safepoint, meaning the GC is allowed
to run concurrently. However, patchpoint generation may reference GCed
objects, potentially leading to UAF.
Change 272710@main reduced the race window between GC and patchpoint
generation for a known case, however the window was not eliminated.
In order to elminate this race, extend the Safepoint mechanism to
include a mode where GC is allowed to run but the current plan's
dependencies are kept live during the safepoint. Then use this in
the safepoint around B3::generate() so that patchpoints can safely
access dependencies of the plan while the GC is still allowed to
collect/cancel other plans and unrelated objects.
Note that in practice, marking the plan's dependencies as live also
means that this plan will not be canceled during this safepoint,
since the liveness predicates for determining whether a plan can be
canceled are themselves dependencies of the plan. So the tradeoff to
allowing B3::generate() to run inside a safepoint is that the current
plan cannot be canceled during a GC cycle that completes during the
B3::generate() safepoint. Make this implication explicit with some asserts.
Revert most of 272710@main except for its test case which continues to
be the regression test for this race.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::globalObjectFor):
* Source/JavaScriptCore/dfg/DFGGraphSafepoint.cpp:
(JSC::DFG::GraphSafepoint::GraphSafepoint):
* Source/JavaScriptCore/dfg/DFGGraphSafepoint.h:
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::cancel):
(JSC::DFG::Plan::isKnownToBeLiveDuringGC):
(JSC::DFG::Plan::isKnownToBeLiveAfterGC):
* Source/JavaScriptCore/ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* Source/JavaScriptCore/jit/BaselineJITPlan.cpp:
(JSC::BaselineJITPlan::compileInThreadImpl):
* Source/JavaScriptCore/jit/JITPlan.cpp:
(JSC::JITPlan::cancel):
(JSC::JITPlan::safepointKeepsDependenciesLive const):
* Source/JavaScriptCore/jit/JITPlan.h:
* Source/JavaScriptCore/jit/JITSafepoint.cpp:
(JSC::Safepoint::isKnownToBeLiveDuringGC):
(JSC::Safepoint::keepDependenciesLive const):
* Source/JavaScriptCore/jit/JITSafepoint.h:
* Source/JavaScriptCore/jit/JITWorklistThread.h:
Canonical link: https://commits.webkit.org/281300@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
