Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: ba26b5242151233d8fe65f1834456cb27130dce2
https://github.com/WebKit/WebKit/commit/ba26b5242151233d8fe65f1834456cb27130dce2
Author: Marcus Plutowski <[email protected]>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M Source/bmalloc/libpas/src/libpas/pas_compact_heap_reservation.c
M Source/bmalloc/libpas/src/libpas/pas_compact_heap_reservation.h
M Source/bmalloc/libpas/src/libpas/pas_page_malloc.c
M Source/bmalloc/libpas/src/libpas/pas_page_malloc.h
M Source/bmalloc/libpas/src/libpas/pas_report_crash_pgm_report.h
M Source/bmalloc/libpas/src/libpas/pas_root.c
M Source/bmalloc/libpas/src/libpas/pas_root.h
M Source/bmalloc/libpas/src/test/IsoHeapChaosTests.cpp
Log Message:
-----------
[libpas] Add a guard page to the front of the compact-heap reservation
https://bugs.webkit.org/show_bug.cgi?id=315126
rdar://177469163
Reviewed by Dan Hecht.
Libpas' compact-heap allocates metadata objects for which we want
to minimize the metadata overhead. This is achieved by creating a fixed
VA reservation and allocating objects as 8B aligned indices into the
heap.
Due to how the bounds of the range are computed (offset by
pas_compact_heap_reservation_guard_size) the first byte of compact
memory is actually accessed via compact-pointer index 2. libpas will
never give out indices 0 or 1. However, if a bug somehow zeroes
out a compact pointer, then the resulting index points to the memory
immediately-before the compact reservation. Unchecked accesses, such as
through pas_segregated_directory_data_ptr_load_non_null, will
consequently corrupt that memory, if it’s mapped.
This patch adds a guard page to the start of the VA reservation,
turning 'compact-nullptr' accesses like those described above into
deterministic crashes.
No new tests as this is an implementation detail.
Canonical link: https://commits.webkit.org/313747@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
