RESOLVED FIXED 280354
[JSC] AssemblerBuffer should poison its inline buffer when JIT_SCAN_ASSEMBLER_BUFFER_FOR_ZEROES is enabled 
https://bugs.webkit.org/show_bug.cgi?id=280354
Summary [JSC] AssemblerBuffer should poison its inline buffer when JIT_SCAN_ASSEMBLER...
Marcus Plutowski
Reported 2024-09-25 14:27:06 PDT
rdar://127124028 The JIT_SCAN_ASSEMBLER_BUFFER_FOR_ZEROES option is meant to detect 0-corruptions in the LinkBuffer/AssemblerBuffer structures used by JSC. However it strictly doesn't know whether the 0s were actually written there, or whether they're just leftover from initialization (having never been overwritten). Poisoning the buffers as we construct them will let us distinguish the latter case from the former. Ideally we'd like to poison all assembler buffers, but doing so on the larger buffers seems to be too slow so we're just going to start with the inline-buffer, as that's the one most vulnerable to corruption (being on the stack, whereas the out-of-line buffer is on the heap).
Attachments
Add attachment proposed patch, testcase, etc.
Marcus Plutowski
Comment 1 2024-09-25 14:34:41 PDT
Pull request: https://github.com/WebKit/WebKit/pull/34249
EWS
Comment 2 2024-09-26 10:32:24 PDT
Committed 284300@main (60a72b8caf51): <https://commits.webkit.org/284300@main> Reviewed commits have been landed. Closing PR #34249 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2024-09-26 10:33:14 PDT
<rdar://problem/136764436>
EWS
Comment 4 2024-09-27 11:25:15 PDT
Committed 283286.144@safari-7620-branch (4101a80ce0e0): <https://commits.webkit.org/283286.144@safari-7620-branch> Reviewed commits have been landed. Closing PR #1919 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.