209632 – Clear the entropy bits in the encodedStructureBits when deallocating a structureID.

Bug 209632 - Clear the entropy bits in the encodedStructureBits when deallocating a structureID.

Summary: Clear the entropy bits in the encodedStructureBits when deallocating a struct...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-03-26 17:14 PDT by Mark Lam
Modified:	2020-03-26 23:38 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
proposed patch. (1.68 KB, patch) 2020-03-26 17:21 PDT, Mark Lam	saam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2020-03-26 17:14:20 PDT

We currently only use a 32-bit offset in the StructureIDTable's StructureOrOffset.  Though we will never store an offset value that is near 32-bit in size, let alone 64-bit, there's no reason why we can't just use all 64-bits for the offset.  Doing so will also have the benefit of zero'ing out the entropy bits in the old encodedStructureBits.  This guarantees there's no chance of coalition between a "freed" structureID's entropy bits and the entropy bits in a dead cell due to GC bugs.

Comment 1 Radar WebKit Bug Importer 2020-03-26 17:14:46 PDT

<rdar://problem/60943876>

Comment 2 Mark Lam 2020-03-26 17:21:20 PDT

Created attachment 394681 [details]
proposed patch.

Comment 3 Mark Lam 2020-03-26 23:38:46 PDT

Thanks for the review.  Landed in r259107: <http://trac.webkit.org/r259107>.