Bug 256328

Summary: [bmalloc] Scavenger's Mutex can be used after release.
Product: WebKit Reporter: Basuke Suzuki <Basuke.Suzuki>
Component: bmallocAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ggaren, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Basuke Suzuki 2023-05-04 12:08:51 PDT 
Scavenger depends on the Mutex which is allocated by StaticPerProcess::s_mutex. While end of the process, Deallocator will call Scavenger::scavenge() if the object logs are full. At the same timing, StaticPreProcess's s_mutex can be also destructed. If the latter comes first, then Scavenger::scavenge() uses deallocated Mutex via Deallocator.
Comment 1 Basuke Suzuki 2023-05-04 12:17:17 PDT 
It can be solved if StaticPerProcess is replaced with PerProcess
Comment 2 Basuke Suzuki 2023-05-04 12:41:20 PDT 
Yusuke suggested other ideas:
- defining StaticMutex
- add [[clang::no_destroy]]
Comment 3 Yusuke Suzuki 2023-05-04 13:25:40 PDT 
PerProcess use probably causes RAMification regression sunce it allocates new 16KB page and libpas using platforms were not allocating that page before (but still using StaticPerProcess).
Comment 4 Yusuke Suzuki 2023-05-04 13:34:25 PDT 
So, probably StaticMutex is way to go, and this is correct since the issue relies on Mutex implementation (right now this problem is platform specific since Darwin and Linux are not having this issue since Mutex does not have destructors)
Comment 5 Radar WebKit Bug Importer 2023-05-11 12:09:20 PDT 
<rdar://problem/109221272>