Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 569d28c26a9bcd5a95dadb2da272c28deeb6c874
https://github.com/WebKit/WebKit/commit/569d28c26a9bcd5a95dadb2da272c28deeb6c874
Author: Marcus Plutowski <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_mte.h
M Source/bmalloc/libpas/src/libpas/pas_mte_config.h
Log Message:
-----------
[libpas] Implement MTE Previous-Tag-Exclusion
https://bugs.webkit.org/show_bug.cgi?id=302808
rdar://152167632
Reviewed by Mark Lam and Dan Hecht.
This ensures that when we retag an allocation slot, the new tag will not
match the old one (for a limited definition of "old one").
The main benefit, as such, is mostly in that this reduces the
false-negative rate for the purpose of debugging, especially for
segregated heaps (where a single slot might only have 7 tags to choose
form, so naively a ~14% chance of collision), as well as retag-on-free
(where the retag-size always matches the prior object size, even in
bitfit heaps) in particular.
With regards to bitfit heaps, it's worth noting that we only guarantee
that the first 16B (i.e. the 0th MTE granule) will have a different tag
from what it had prior to allocation. We don't try to ensure that the
tag we choose is different from the prior tag of *all* bytes in the
object, as that would require an expensive ldg loop, and moreover be
impossible to guarantee regardless as it's perfectly possible to
allocate e.g. 15x 512B objects in the same space as a subseqeuent
30720B object, therefore potentially exhausting all tags that could be
used -- a situation that worsens once we consider the odd/even
constraints placed on the first/last allocations within a page.
Canonical link: https://commits.webkit.org/310726@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
