NEW 256328
[bmalloc] Scavenger's Mutex can be used after release. 
https://bugs.webkit.org/show_bug.cgi?id=256328
Summary [bmalloc] Scavenger's Mutex can be used after release.
Basuke Suzuki
Reported 2023-05-04 12:08:51 PDT
Scavenger depends on the Mutex which is allocated by StaticPerProcess::s_mutex. While end of the process, Deallocator will call Scavenger::scavenge() if the object logs are full. At the same timing, StaticPreProcess's s_mutex can be also destructed. If the latter comes first, then Scavenger::scavenge() uses deallocated Mutex via Deallocator.
Attachments
Add attachment proposed patch, testcase, etc.
Basuke Suzuki
Comment 1 2023-05-04 12:17:17 PDT
It can be solved if StaticPerProcess is replaced with PerProcess
Basuke Suzuki
Comment 2 2023-05-04 12:41:20 PDT
Yusuke suggested other ideas: - defining StaticMutex - add [[clang::no_destroy]]
Yusuke Suzuki
Comment 3 2023-05-04 13:25:40 PDT
PerProcess use probably causes RAMification regression sunce it allocates new 16KB page and libpas using platforms were not allocating that page before (but still using StaticPerProcess).
Yusuke Suzuki
Comment 4 2023-05-04 13:34:25 PDT
So, probably StaticMutex is way to go, and this is correct since the issue relies on Mutex implementation (right now this problem is platform specific since Darwin and Linux are not having this issue since Mutex does not have destructors)
Radar WebKit Bug Importer
Comment 5 2023-05-11 12:09:20 PDT
<rdar://problem/109221272>
Note You need to log in before you can comment on or make changes to this bug.