RESOLVED FIXED 273228
Disable use-after-return checking to fix JSC GC on ASan builds 
https://bugs.webkit.org/show_bug.cgi?id=273228
Summary Disable use-after-return checking to fix JSC GC on ASan builds
David Kilzer (:ddkilzer)
Reported 2024-04-24 21:09:59 PDT
Disable use-after-return checking to fix JSC garbage collection on ASan builds. ASan use-after-return (UAR) checking allocates objects on a "fake stack" in order to detect UAR issues, but the JavaScriptCore garbage collector knows nothing of the "fake stack" (and thus does not scan it for live objects). The garbage collector then assumes any object in the "fake stack" is no longer being referenced and can be freed, which results in false-positive use-after-free crashes. The temporary fix is to disable use-after-return checking at compile time using `-fsanitize-address-use-after-return=never`. At some point if ASan provides API to scan its "fake stack", JSC GC could scan that on ASan builds, and this change could be reverted. <rdar://126269133>
Attachments
Add attachment proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1 2024-04-24 21:17:06 PDT
Pull request: https://github.com/WebKit/WebKit/pull/27728
EWS
Comment 2 2024-04-25 11:10:30 PDT
Committed 277993@main (b59055bbf3f5): <https://commits.webkit.org/277993@main> Reviewed commits have been landed. Closing PR #27728 and removing active labels.
EWS
Comment 3 2024-04-25 15:00:56 PDT
Committed 272448.961@safari-7618-branch (89f3455464b3): <https://commits.webkit.org/272448.961@safari-7618-branch> Reviewed commits have been landed. Closing PR #1240 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.