Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 78b9637e3457ef457fa6578d362071d1569b8793
https://github.com/WebKit/WebKit/commit/78b9637e3457ef457fa6578d362071d1569b8793
Author: Daniel Liu <[email protected]>
Date: 2025-04-04 (Fri, 04 Apr 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/GetByIdMetadata.h
Log Message:
-----------
LLInt GetByIdModeMetadata should not hold potentially dead structure IDs
https://bugs.webkit.org/show_bug.cgi?id=287567
rdar://144076957
Reviewed by Yijia Huang and Yusuke Suzuki.
GetByIdModeMetadata does not reset its structure ID upon transitioning to
ArrayLengthMode,
meaning that this could get held over across another reset. This could later
cause access
to a freed (or reallocated) structure ID.
This patch also cleans up the code in `setProtoLoadMode` slightly to clear up
the specific
writes being performed.
This does not apply to other modes, since they set their structure ID
explicitly. Since the
mutator thread is the thread changing modes, it will only invalidate the
structure ID after
the call to clearToDefaultModeWithoutCache finishes, meaning that the structure
ID already
is cleared.
* Source/JavaScriptCore/bytecode/GetByIdMetadata.h:
(JSC::GetByIdModeMetadata::clearToDefaultModeWithoutCache):
(JSC::GetByIdModeMetadata::setUnsetMode):
(JSC::GetByIdModeMetadata::setArrayLengthMode):
(JSC::GetByIdModeMetadata::setProtoLoadMode):
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFromLLInt):
Originally-landed-as: 289651.165@safari-7621-branch (a93595279e2b).
rdar://148058163
Canonical link: https://commits.webkit.org/293257@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
