Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 45be9554866c149cc76752b6edea81b95b3c3384
https://github.com/WebKit/WebKit/commit/45be9554866c149cc76752b6edea81b95b3c3384
Author: Marcus Plutowski <[email protected]>
Date: 2026-02-12 (Thu, 12 Feb 2026)
Changed paths:
M Source/JavaScriptCore/jit/JITWorklistThread.cpp
M Source/JavaScriptCore/jit/JITWorklistThread.h
M Source/WTF/WTF.xcodeproj/project.pbxproj
M Source/WTF/wtf/AutomaticThread.cpp
M Source/WTF/wtf/AutomaticThread.h
M Source/WTF/wtf/CMakeLists.txt
M Source/WTF/wtf/PlatformUse.h
A Source/WTF/wtf/SequesteredAutomaticThread.cpp
A Source/WTF/wtf/SequesteredAutomaticThread.h
M Source/WTF/wtf/SequesteredImmortalHeap.cpp
M Source/WTF/wtf/SequesteredImmortalHeap.h
A Source/WTF/wtf/StackAllocation.h
M Source/WTF/wtf/Threading.cpp
M Source/WTF/wtf/Threading.h
M Source/WTF/wtf/posix/ThreadingPOSIX.cpp
M Source/WTF/wtf/win/ThreadingWin.cpp
Log Message:
-----------
[JSC] Allocate JS compiler thread stacks from sequestered memory
https://bugs.webkit.org/show_bug.cgi?id=306971
rdar://168604548
Reviewed by Keith Miller.
Currently, most of the data used by compiler threads is stored in
memory managed by the Sequestered-allocator-family, as part of the
general effort of isolating their working data from that of the rest of
the process. However, the memory used for their thread stacks is still
allocated as it would be for any other thread -- a vulnerability, as
attackers can simply attack this memory and repoint e.g. stack variables
to point at non-sequestered memory (or simply rewrite the saved retaddr
and take control of the thread entirely).
The first step towards preventing this is allocating the memory for
these threads from the Sequestered-allocator-family.
The new SequesteredAutomaticThread class encapsulates this pattern:
essentially an AutomaticThread with its stack allocated from th
SequesteredImmortalHeap and installed via the standard
`pthread_attr_setstack` API. This does not yet affect the actual
protections applied to those stacks, as that will come in a later patch.
The actual management of these stacks is managed by a new class, the
SequesteredStackAllocator, which sub-allocates from the
SequesteredImmortalHeap pending a move towards some megapage-like
pattern for such allocations.
Since compiler stacks can and are frequently destroyed, we maintain a
free-list of these stacks for later re-use in order to constrain memory
use. Currently they are not decommitted, but this should not have a
significant impact for most websites, so that work can be left to a
later patch.
Canonical link: https://commits.webkit.org/307447@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
