154146 CVE-2016-4730 2016-02-11 18:31:06 -0800 AdaptiveInferredPropertyValueWatchpoint can trigger a GC that frees its CodeBlock and thus itself 2017-10-11 10:24:32 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 keith_miller keith_miller bfulgham commit-queue fpizlo webkit-bug-importer oldest_to_newest 1163972 0 keith_miller 2016-02-11 18:31:06 -0800 Consider the following: there is some CodeBlock, C, that is watching some object, O, with a structure, S, for replacements. Also, suppose that C has no references anymore and is due to be GCed. Now, when some new property is added to O, S will create a new structure S' and fire its transition watchpoints. Since C is watching S for replacements it will attempt to have its AdaptiveInferredPropertyValueWatchpoint relocate itself to S'. To do so, it needs it allocate RareData on S'. This allocation may cause a GC, which frees C while still executing its watchpoint handler. 1163979 1 271117 keith_miller 2016-02-11 18:55:26 -0800 Created attachment 271117 Patch 1164221 2 keith_miller 2016-02-12 11:20:51 -0800 I can't find a good way to test this. The main issue is that we need to take a slow path allocation in order to trigger a GC but we currently don't have a way to force allocation slow paths. I tried adding an option but the check for the option caused performance regressions. We could add it in debug builds only but that has the downside of making the test only effective in debug builds. Additionally, I have not found a way to get a CodeBlock to become unreferenced consistently, which makes the other issues somewhat moot. 1164223 3 keith_miller 2016-02-12 11:23:30 -0800 rdar://problem/23569888 1164230 4 keith_miller 2016-02-12 11:28:57 -0800 Note, I am confident this fixes the issue as previously we would crash reliably every run of "run-webkit-tests --additional-env-var="JSC_slowPathAllocsBetweenGCs=10" --no-retry -1 --child-processes=6 -g svg/dom/viewspec-parser-4.html --repeat 100" and with the change I have not crashed in 1000+ runs. 1164278 5 271117 commit-queue 2016-02-12 12:44:45 -0800 Comment on attachment 271117 Patch Clearing flags on attachment: 271117 Committed r196497: <http://trac.webkit.org/changeset/196497> 1164279 6 commit-queue 2016-02-12 12:44:47 -0800 All reviewed patches have been landed. Closing bug. 271117 2016-02-11 18:55:26 -0800 2016-02-12 12:44:45 -0800 Patch bug-154146-20160211185505.patch text/plain 2729 keith_miller U3VidmVyc2lvbiBSZXZpc2lvbjogMTk2MTc0CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA1 ZDgxYjRjMDZiN2I3NTYzZjA2MjdjYjdiMmY0M2EzNTM2MTFkYmJkLi43OGU5NjVmNzZiYzIyYjYz ZTI5MjU0YzgwMmQwNmYzNjhhYmFiMjEzIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwyMiBAQAorMjAxNi0wMi0xMSAgS2VpdGggTWlsbGVyICA8a2VpdGhfbWlsbGVyQGFwcGxl LmNvbT4KKworICAgICAgICBBZGFwdGl2ZUluZmVycmVkUHJvcGVydHlWYWx1ZVdhdGNocG9pbnQg Y2FuIHRyaWdnZXIgYSBHQyB0aGF0IGZyZWVzIGl0cyBDb2RlQmxvY2sgYW5kIHRodXMgaXRzZWxm CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNTQxNDYK KworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBDb25zaWRl ciB0aGUgZm9sbG93aW5nOiB0aGVyZSBpcyBzb21lIENvZGVCbG9jaywgQywgdGhhdCBpcyB3YXRj aGluZyBzb21lIG9iamVjdCwgTywgd2l0aCBhCisgICAgICAgIHN0cnVjdHVyZSwgUywgZm9yIHJl cGxhY2VtZW50cy4gQWxzbywgc3VwcG9zZSB0aGF0IEMgaGFzIG5vIHJlZmVyZW5jZXMgYW55bW9y ZSBhbmQgaXMgZHVlIHRvCisgICAgICAgIGJlIEdDZWQuIE5vdywgd2hlbiBzb21lIG5ldyBwcm9w ZXJ0eSBpcyBhZGRlZCB0byBPLCBTIHdpbGwgY3JlYXRlIGEgbmV3IHN0cnVjdHVyZSBTJyBhbmQK KyAgICAgICAgZmlyZSBpdHMgdHJhbnNpdGlvbiB3YXRjaHBvaW50cy4gU2luY2UgQyBpcyB3YXRj aGluZyBTIGZvciByZXBsYWNlbWVudHMgaXQgd2lsbCBhdHRlbXB0IHRvCisgICAgICAgIGhhdmUg aXRzIEFkYXB0aXZlSW5mZXJyZWRQcm9wZXJ0eVZhbHVlV2F0Y2hwb2ludCByZWxvY2F0ZSBpdHNl bGYgdG8gUycuIFRvIGRvIHNvLCBpdCBuZWVkcworICAgICAgICBpdCBhbGxvY2F0ZSBSYXJlRGF0 YSBvbiBTJy4gVGhpcyBhbGxvY2F0aW9uIG1heSBjYXVzZSBhIEdDLCB3aGljaCBmcmVlcyBDIHdo aWxlIHN0aWxsCisgICAgICAgIGV4ZWN1dGluZyBpdHMgd2F0Y2hwb2ludCBoYW5kbGVyLiBUaGUg c29sdXRpb24gdG8gdGhpcyBpcyB0byBkZWZlciBHQyB3aGlsZSBydW5uaW5nCisgICAgICAgIEFk YXB0aXZlSW5mZXJyZWRQcm9wZXJ0eVZhbHVlV2F0Y2hwb2ludEJhc2UgaGFuZGxlcnMuCisKKyAg ICAgICAgKiBieXRlY29kZS9BZGFwdGl2ZUluZmVycmVkUHJvcGVydHlWYWx1ZVdhdGNocG9pbnRC YXNlLmNwcDoKKyAgICAgICAgKEpTQzo6QWRhcHRpdmVJbmZlcnJlZFByb3BlcnR5VmFsdWVXYXRj aHBvaW50QmFzZTo6ZmlyZSk6CisKIDIwMTYtMDItMDQgIEpvc2VwaCBQZWNvcmFybyAgPHBlY29y YXJvQGFwcGxlLmNvbT4KIAogICAgICAgICBXZWIgSW5zcGVjdG9yOiBJbnNwZWN0b3JUaW1lbGlu ZUFnZW50IGRvZXNuJ3QgbmVlZCB0byByZWNvbXBpbGUgZnVuY3Rpb25zIGJlY2F1c2UgaXQgbm93 IHVzZXMgdGhlIHNhbXBsaW5nIHByb2ZpbGVyCmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvYnl0ZWNvZGUvQWRhcHRpdmVJbmZlcnJlZFByb3BlcnR5VmFsdWVXYXRjaHBvaW50QmFz ZS5jcHAgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvYnl0ZWNvZGUvQWRhcHRpdmVJbmZlcnJlZFBy b3BlcnR5VmFsdWVXYXRjaHBvaW50QmFzZS5jcHAKaW5kZXggMDRkOThmNmRhZTQ4NDJjYmViNzVh NzliMTBiOGNjYjc4NTkxNDdjNS4uOWYwMmU4Y2I2OGNkODgxZmFhNGZlYTFkNDk3MDEwMWE4NWZl ZTM4NyAxMDA2NDQKLS0tIGEvU291cmNlL0phdmFTY3JpcHRDb3JlL2J5dGVjb2RlL0FkYXB0aXZl SW5mZXJyZWRQcm9wZXJ0eVZhbHVlV2F0Y2hwb2ludEJhc2UuY3BwCisrKyBiL1NvdXJjZS9KYXZh U2NyaXB0Q29yZS9ieXRlY29kZS9BZGFwdGl2ZUluZmVycmVkUHJvcGVydHlWYWx1ZVdhdGNocG9p bnRCYXNlLmNwcApAQCAtNTAsNiArNTAsMTAgQEAgdm9pZCBBZGFwdGl2ZUluZmVycmVkUHJvcGVy dHlWYWx1ZVdhdGNocG9pbnRCYXNlOjppbnN0YWxsKCkKIAogdm9pZCBBZGFwdGl2ZUluZmVycmVk UHJvcGVydHlWYWx1ZVdhdGNocG9pbnRCYXNlOjpmaXJlKGNvbnN0IEZpcmVEZXRhaWwmIGRldGFp bCkKIHsKKyAgICAvLyBXZSBuZWVkIHRvIGRlZmVyIEdDIGhlcmUgb3RoZXJ3aXNlIHdlIG1pZ2h0 IHRyaWdnZXIgYSBHQyB0aGF0IGNvdWxkIGRlc3Ryb3kgdGhlIG93bmVyCisgICAgLy8gQ29kZUJs b2NrLiBJbiBwYXJ0aWN1bGFyLCB0aGlzIGNhbiBoYXBwZW4gd2hlbiB3ZSBhZGQgcmFyZSBkYXRh IHRvIGEgc3RydWN0dXJlIHdoZW4KKyAgICAvLyB3ZSBFbnN1cmVXYXRjaGFiaWxpdHkuCisgICAg RGVmZXJHQ0ZvckFXaGlsZSBkZWZlcigqSGVhcDo6aGVhcChtX2tleS5vYmplY3QoKSkpOwogICAg IC8vIE9uZSBvZiB0aGUgd2F0Y2hwb2ludHMgZmlyZWQsIGJ1dCB0aGUgb3RoZXIgb25lIGRpZG4n dC4gTWFrZSBzdXJlIHRoYXQgbmVpdGhlciBvZiB0aGVtIGFyZQogICAgIC8vIGluIGFueSBzZXQg YW55bW9yZS4gVGhpcyBzaW1wbGlmaWVzIHRoaW5ncyBieSBhbGxvd2luZyB1cyB0byByZWluc3Rh bGwgdGhlIHdhdGNocG9pbnRzCiAgICAgLy8gd2hlcmV2ZXIgZnJvbSBzY3JhdGNoLgo=