Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6e299de4c1aeac674d600d988c812acc27cb9f7a
https://github.com/WebKit/WebKit/commit/6e299de4c1aeac674d600d988c812acc27cb9f7a
Author: Sosuke Suzuki <[email protected]>
Date: 2026-05-07 (Thu, 07 May 2026)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c
M Source/bmalloc/libpas/src/libpas/pas_race_test_hooks.h
M Source/bmalloc/libpas/src/test/BitfitTests.cpp
Log Message:
-----------
[libpas] Fix race in `pas_bitfit_directory_take_last_empty`
https://bugs.webkit.org/show_bug.cgi?id=314271
Reviewed by Marcus Plutowski.
pas_bitfit_directory_take_last_empty read last_empty_plus_one with
pas_versioned_field_read instead of pas_versioned_field_read_to_watch,
so the final pas_versioned_field_try_write could not detect a
concurrent view_did_become_empty_at_index between the scan and the
write. The try_write succeeded on a stale version and zeroed
last_empty_plus_one with empty bits still set, stranding the page.
The matching segregated-directory path already uses read_to_watch.
Add a regression test that uses pas_race_test_hooks to inject the
empty event between the scan and the write.
* Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c:
(pas_bitfit_directory_take_last_empty):
* Source/bmalloc/libpas/src/libpas/pas_race_test_hooks.h:
(pas_race_test_hook_kind_get_string):
* Source/bmalloc/libpas/src/test/BitfitTests.cpp:
(std::takeLastEmptyRaceHook):
(std::testTakeLastEmptyLastEmptyPlusOneWatchRace):
(addBitfitTests):
Canonical link: https://commits.webkit.org/312830@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
