[webkit-changes] [WebKit/WebKit] dee978: [libpas] Quickly use bitfit heaps (as possible) wh...

Thu, 19 Mar 2026 12:52:50 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: dee9781145cfd9b0d1f009a019aaa5098abdf68b
      
https://github.com/WebKit/WebKit/commit/dee9781145cfd9b0d1f009a019aaa5098abdf68b
  Author: Marcus Plutowski <[email protected]>
  Date:   2026-03-19 (Thu, 19 Mar 2026)

  Changed paths:
    M Source/bmalloc/bmalloc/bmalloc.cpp
    M Source/bmalloc/libpas/src/libpas/pas_mte_config.c
    M Source/bmalloc/libpas/src/libpas/pas_mte_config.h

  Log Message:
  -----------
  [libpas] Quickly use bitfit heaps (as possible) when retag-on-scavenge is 
enabled
https://bugs.webkit.org/show_bug.cgi?id=309598
rdar://172220367

Reviewed by Mark Lam.

Retag-on-scavenge functionally supports both segregated and bitfit
heaps. Bitfit allocations, however, are tagged immediately when the
object is freed.
As such, when retag-on-scavenge is enabled, we should prefer to allocate
from bitfit heaps to exploit this property -- the exception of course
being isoheaps, due to the intrinsic type-unsafety of bitfit heaps.

Notably, this already kinda happens in privileged processes, where
WebCore enables fastMiniMode during process setup. However, this happens
late enough that several local-allocators are able to first allocate
objects, populating a goodly number of segregated size-directories which
can thereafter be used for allocating segregated objects. This isn’t a
problem for mini-mode because the goal there is just to reduce memory
usage, so some stray allocations aren’t going to crater the feature, but
for us it is — the security boundary provided by any eventual
retag-on-free solution would be much weakened if attackers could go
through objects allocated sufficiently-early-on.

So concretely, this patch does two things:
  1. Extend the “mini-mode”-style segregated-heap disablement to cover
     WebContent processes when Retag-on-Scavenge is enabled;
  2. Hoist this enablement to early enough in the process lifetime
     that no segregated directories can sneak by before we disable them.

Canonical link: https://commits.webkit.org/309573@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to