Bug 209632

Summary:

Clear the entropy bits in the encodedStructureBits when deallocating a structureID.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	saam: review+

Mark Lam

Reported 2020-03-26 17:14:20 PDT

We currently only use a 32-bit offset in the StructureIDTable's StructureOrOffset. Though we will never store an offset value that is near 32-bit in size, let alone 64-bit, there's no reason why we can't just use all 64-bits for the offset. Doing so will also have the benefit of zero'ing out the entropy bits in the old encodedStructureBits. This guarantees there's no chance of coalition between a "freed" structureID's entropy bits and the entropy bits in a dead cell due to GC bugs.

Attachments
proposed patch. (1.68 KB, patch) 2020-03-26 17:21 PDT, Mark Lam	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2020-03-26 17:14:46 PDT

<rdar://problem/60943876>

Mark Lam

Comment 2 2020-03-26 17:21:20 PDT

Created attachment 394681 [details] proposed patch.

Mark Lam

Comment 3 2020-03-26 23:38:46 PDT

Thanks for the review. Landed in r259107: <http://trac.webkit.org/r259107>.

Note You need to log in before you can comment on or make changes to this bug.