Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c90e64eec92dad9dfa49801778997c6e449ce1c6
https://github.com/WebKit/WebKit/commit/c90e64eec92dad9dfa49801778997c6e449ce1c6
Author: Dan Hecht <[email protected]>
Date: 2025-09-02 (Tue, 02 Sep 2025)
Changed paths:
M Source/JavaScriptCore/heap/Heap.cpp
M Source/JavaScriptCore/heap/MarkedSpace.cpp
M Source/JavaScriptCore/heap/MarkedSpace.h
M Source/JavaScriptCore/heap/WeakBlock.cpp
M Source/JavaScriptCore/heap/WeakSet.cpp
M Source/WTF/wtf/DoublyLinkedList.h
Log Message:
-----------
[JSC] Avoid dangling pointers in WeakBlock list
https://bugs.webkit.org/show_bug.cgi?id=298236
rdar://157587352
Reviewed by Keith Miller.
Before this change, DoublyLinkedList leaves the next/prev pointers
in a dangling state when removing a node from the list. Then,
if the node is re-added, the next/prev pointers are reset when necessary.
Let's make a stronger invariant: if the node is not in the list,
then the prev/next pointers are nullptr. (Note that the converse
is not true for single element lists.)
Then, add some asserts to verify the WeakSet's WeakBlock list lifecycle
to try to help track down a mysterious crash. The WeakBlock ownership
can be transferred from the WeakSet to the Heap, at which point
the prev/next should be nulled out and, after this change, no longer
dangling.
Bonus: remove MarkedSpace::freeOrShrinkBlock() since it's never called.
Canonical link: https://commits.webkit.org/299454@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
