Bug 265469 - Race condition in ARM64 disassembler initialization
Summary: Race condition in ARM64 disassembler initialization
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Degazio
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-11-28 11:30 PST by David Degazio
Modified: 2023-11-30 10:51 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Degazio 2023-11-28 11:30:04 PST 
rdar://118890976

It's rare, but possible for two threads to initialize the ARM64 disassembler in JSC at the same time. If this happens, we run into problems in the following code:

    if (!opcodeTable[opcodeGroupNumber])
        opcodeTable[opcodeGroupNumber] = newOpcodeGroup;
    else
        lastGroups[opcodeGroupNumber]->setNext(newOpcodeGroup);
    lastGroups[opcodeGroupNumber] = newOpcodeGroup;

This code builds an array of linked lists of opcode groups. We can get an interleaving where:
  - Thread 1 hits the if statement, and sees the opcode table entry is null.
  - Thread 1 sets the opcode table entry to a new, non-null group.
  - Thread 2 hits the if statement, and sees the opcode table entry is now non-null.
  - Thread 2 continues to setNext on an element of lastGroups, but it's still null at this point! So we crash.

To fix this, we should just protect this initialization function with a lock.
Comment 1 David Degazio 2023-11-28 13:56:33 PST 
Pull request: https://github.com/WebKit/WebKit/pull/21015
Comment 2 EWS 2023-11-30 10:51:57 PST 
Committed 271350@main (48684d06eb78): <https://commits.webkit.org/271350@main>

Reviewed commits have been landed. Closing PR #21015 and removing active labels.