Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: db82cc210cb511fc769adb00b6e147727d0c1f31
https://github.com/WebKit/WebKit/commit/db82cc210cb511fc769adb00b6e147727d0c1f31
Author: Yijia Huang <[email protected]>
Date: 2026-03-27 (Fri, 27 Mar 2026)
Changed paths:
M Source/JavaScriptCore/b3/air/testair.cpp
M Source/JavaScriptCore/b3/testb3.h
M Source/JavaScriptCore/b3/testb3_1.cpp
M Source/WTF/wtf/SequesteredImmortalHeap.h
Log Message:
-----------
[JSC] Fix testair and testb3 crashes under USE(PROTECTED_JIT) by adding
ArenaLifetime to test threads
https://bugs.webkit.org/show_bug.cgi?id=310911
rdar://173524423
Reviewed by Dan Hecht.
testair and testb3 allocate B3::Procedure and related objects (CFG,
BasicBlock, Value, etc.) which are marked WTF_MAKE_SEQUESTERED_ARENA_ALLOCATED.
When USE(PROTECTED_JIT) is enabled (internal SDK + macOS), these
types route through SequesteredArenaAllocator::malloc(), which hard-asserts
m_alive before every allocation. m_alive is set to true only by ArenaLifetime's
constructor (beginArenaLifetime()) and back to false by its destructor
(endArenaLifetime()).
Neither testair's worker thread loop nor testb3's worker thread loop nor
testb3's RUN_NOW main-thread path ever constructed an ArenaLifetime, so
every allocation crashed immediately with ASSERT(m_alive). This went
unnoticed because EWS bots build with the public SDK (USE(PROTECTED_JIT) = 0),
where WTF_MAKE_SEQUESTERED_ARENA_ALLOCATED falls back to plain TZone malloc
with no arena lifetime requirement. This patch fixes the issue by constructing
ArenaLifetime scoped to each individual test task.
Canonical link: https://commits.webkit.org/310126@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
