Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b30b68c003b46cd8bffcdb34070ad44c1a48648b
https://github.com/WebKit/WebKit/commit/b30b68c003b46cd8bffcdb34070ad44c1a48648b
Author: Yusuke Suzuki <[email protected]>
Date: 2025-06-05 (Thu, 05 Jun 2025)
Changed paths:
M
Source/JavaScriptCore/SaferCPPExpectations/UncountedLocalVarsCheckerExpectations
M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp
M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp
M Source/JavaScriptCore/wasm/WasmCalleeGroup.h
M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp
M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
M Source/WTF/wtf/ThreadSafeWeakPtr.h
Log Message:
-----------
[JSC] Wasm::BBQCallee retrieval should not use "ptr()"
https://bugs.webkit.org/show_bug.cgi?id=291150
rdar://147696218
Reviewed by Keith Miller.
The issue is that Wasm::CalleeGroup is using
ThreadSafeWeakOrStrongPtr::ptr(), but this is valid only when
ThreadSafeWeakOrStrongPtr is strong pointer, and it is actually not
true. As a result, we may encounter tagged weak pointer etc. and
incorrectly use it, leading to UAF.
The minimal fix is not using this ptr() when it can be a weak ptr.
1. We remove ::ptr(). This is a bit dangerous function.
2. Do not use ptr() when it is not guaranteed to be a strong
pointer. Most of cases, `::get()` is the right answer in
Wasm::CalleeGroup.
3. We also annotate Callees with RefPtr / Ref. Strictly speaking, this
is not much necessary as they are kept alive in Wasm::CalleeGroup and
only possible one BBQCallee cannot go away until VM hits some
condition. But anyway, this is not super hot code, and it makes it
clear that they have ownership explicitly. When we found some of them
are hot, we should use raw pointer in these places with calleeGroup's
ownership model.
*
Source/JavaScriptCore/SaferCPPExpectations/UncountedLocalVarsCheckerExpectations:
* Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
* Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp:
(JSC::Wasm::CalleeGroup::tryGetBBQCalleeForLoopOSR):
(JSC::Wasm::CalleeGroup::calleeIsReferenced const):
* Source/JavaScriptCore/wasm/WasmCalleeGroup.h:
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::jitCompileAndSetHeuristics):
(JSC::IPInt::jitCompileSIMDFunction):
(JSC::IPInt::WASM_IPINT_EXTERN_CPP_DECL):
(JSC::IPInt::doWasmCall):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::emitInlineDirectCall):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::emitInlineDirectCall):
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp:
(JSC::Wasm::OSREntryPlan::work):
* Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:
(JSC::LLInt::jitCompileAndSetHeuristics):
(JSC::LLInt::jitCompileSIMDFunction):
(JSC::LLInt::WASM_SLOW_PATH_DECL):
(JSC::LLInt::doWasmCall):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::initElementSegment):
* Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::initializeExports):
* Source/WTF/wtf/ThreadSafeWeakPtr.h:
(WTF::ThreadSafeWeakOrStrongPtr::get const):
(WTF::ThreadSafeWeakOrStrongPtr::tryConvertToStrong):
(WTF::ThreadSafeWeakOrStrongPtr::ptr const): Deleted.
Originally-landed-as: 289651.398@safari-7621-branch (d2435c4b90d1).
rdar://151712839
Canonical link: https://commits.webkit.org/295865@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
