Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a22ff5314d9fc55cb59733dcc1e3dfeef1b7a4d8
https://github.com/WebKit/WebKit/commit/a22ff5314d9fc55cb59733dcc1e3dfeef1b7a4d8
Author: Robert Jenner <[email protected]>
Date: 2025-06-04 (Wed, 04 Jun 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp
M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h
M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp
M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h
M Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
Log Message:
-----------
StructureTransitionStructureStubClearingWatchpoint and
AdaptiveValueStructureStubClearingWatchpoint should hold an owner
PolymorphicAccessJITStub and check if their owner is destroyed
https://bugs.webkit.org/show_bug.cgi?id=288985
rdar://144722637
Reviewed by Yusuke Suzuki.
StructureTransitionStructureStubClearingWatchpoint and
AdaptiveValueStructureStubClearingWatchpoint keep a
JSObject within their ObjectPropertyCondition. However, during program
execution, we could no longer have
a live PolymorphicAccessJITStub associated with the watchpoint. Since these
watchpoints don't check if the
owner JITStub is live, they may still attempt to fire. This means that they
could attempt to access a dead
object, which was cleaned up during a GC pass. This patch ensures that these
watchpoints don't fire and do
nothing if their owner JITStub is no longer alive, meaning that they can no
longer UAF their key's object.
Additionally, we modify the PolymorphicAccessJITStub to separate
isCodeImmutable and isGCAware. These
properties are not related, but the old code set them together since we would
only care about immutability
if we were a GC-aware JIT stub. However, we can set immutability at the
beginning, allowing us to only set
isGCAware when we add a watchpoint that requires GC awareness. This is required
since the two StubClearing
watchpoints hold references to objects, meaning they need to be GC aware. With
these fixes, we are able to
ensure that watchpoints are invalidated or silenced when objects they refer to
are dead.
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::addWatchpoint):
(JSC::ensureReferenceAndInstallWatchpoint):
(JSC::ensureReferenceAndAddWatchpoint):
(JSC::InlineCacheCompiler::compile):
(JSC::InlineCacheCompiler::compileOneAccessCaseHandler):
* Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureTransitionStructureStubClearingWatchpoint::fireInternal):
(JSC::AdaptiveValueStructureStubClearingWatchpoint::handleFire):
* Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h:
* Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
(JSC::GCAwareJITStubRoutine::makeGCAware):
(JSC::PolymorphicAccessJITStubRoutine::PolymorphicAccessJITStubRoutine):
(JSC::PolymorphicAccessJITStubRoutine::addGCAwareWatchpoint):
(JSC::MarkingGCAwareJITStubRoutine::MarkingGCAwareJITStubRoutine):
(JSC::GCAwareJITStubRoutineWithExceptionHandler::GCAwareJITStubRoutineWithExceptionHandler):
(JSC::createICJITStubRoutine):
(JSC::createPreCompiledICJITStubRoutine):
* Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h:
(JSC::GCAwareJITStubRoutine::create):
(JSC::PolymorphicAccessJITStubRoutine::ownerIsDead const):
* Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::PolymorphicCallStubRoutine):
Originally-landed-as: 289651.245@safari-7621-branch (be9f31f7acec).
rdar://151707889
Canonical link: https://commits.webkit.org/295824@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
