305435 – [libpas] Hold lock during retag-on-scavenge tag-setting for bitfit heaps

RESOLVED FIXED305435

[libpas] Hold lock during retag-on-scavenge tag-setting for bitfit heaps

https://bugs.webkit.org/show_bug.cgi?id=305435

Summary [libpas] Hold lock during retag-on-scavenge tag-setting for bitfit heaps

Marcus Plutowski

Reported 2026-01-13 16:44:34 PST

rdar://165772439 Previously, we were doing the tag-writes outside of the mutex; this is unsafe since it also takes place strictly after the slot is returned to use, so it's possible for the memory to be re-allocated while we're tagging it.

Attachments
Add attachment proposed patch, testcase, etc.

Marcus Plutowski

Comment 1 2026-01-13 16:44:59 PST

The feature is not currently enabled, so when the above goes in we can turn it on at the same time.

Marcus Plutowski

Comment 2 2026-01-14 15:32:04 PST

Pull request: https://github.com/WebKit/WebKit/pull/56594

EWS

Comment 3 2026-01-21 15:37:10 PST

Committed 305977@main (9705a6950cd2): <https://commits.webkit.org/305977@main> Reviewed commits have been landed. Closing PR #56594 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component bmalloc

Assignee

Nobody

Reported

2026-01-13 16:44 PST

Modified

2026-01-21 15:37 PST History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks