256328 – [bmalloc] Scavenger's Mutex can be used after release.

Bug 256328 - [bmalloc] Scavenger's Mutex can be used after release.

Summary: [bmalloc] Scavenger's Mutex can be used after release.

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	bmalloc (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-05-04 12:08 PDT by Basuke Suzuki
Modified:	2023-05-11 12:09 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Basuke Suzuki 2023-05-04 12:08:51 PDT

Scavenger depends on the Mutex which is allocated by StaticPerProcess::s_mutex. While end of the process, Deallocator will call Scavenger::scavenge() if the object logs are full. At the same timing, StaticPreProcess's s_mutex can be also destructed. If the latter comes first, then Scavenger::scavenge() uses deallocated Mutex via Deallocator.

Comment 1 Basuke Suzuki 2023-05-04 12:17:17 PDT

It can be solved if StaticPerProcess is replaced with PerProcess

Comment 2 Basuke Suzuki 2023-05-04 12:41:20 PDT

Yusuke suggested other ideas:
- defining StaticMutex
- add [[clang::no_destroy]]

Comment 3 Yusuke Suzuki 2023-05-04 13:25:40 PDT

PerProcess use probably causes RAMification regression sunce it allocates new 16KB page and libpas using platforms were not allocating that page before (but still using StaticPerProcess).

Comment 4 Yusuke Suzuki 2023-05-04 13:34:25 PDT

So, probably StaticMutex is way to go, and this is correct since the issue relies on Mutex implementation (right now this problem is platform specific since Darwin and Linux are not having this issue since Mutex does not have destructors)

Comment 5 Radar WebKit Bug Importer 2023-05-11 12:09:20 PDT

<rdar://problem/109221272>