[webkit-changes] [WebKit/WebKit] 6b357f: [JSC] Use-after-free after growing a resizable buf...

Wed, 29 Apr 2026 07:58:14 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 6b357f32c6075bb807f52fd6cf4a68fe0ba38256
      
https://github.com/WebKit/WebKit/commit/6b357f32c6075bb807f52fd6cf4a68fe0ba38256
  Author: Vassili Bykov <[email protected]>
  Date:   2026-04-29 (Wed, 29 Apr 2026)

  Changed paths:
    A JSTests/wasm/stress/resizable-buffer-grow-view-refresh.js
    M Source/JavaScriptCore/runtime/ArrayBuffer.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferView.h
    M Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h

  Log Message:
  -----------
  [JSC] Use-after-free after growing a resizable buffer on a WebAssembly memory
https://bugs.webkit.org/show_bug.cgi?id=306136
rdar://167095753

Reviewed by Yijia Huang.

This issue is related to earlier work on WebAssembly memory buffers. As part of 
that work, it became
possible for an ArrayBuffer's underlying storage to change its location in 
memory as a result of
growing. To deal with this change, two methods were introduced: 
ArrayBuffer::refreshAfterMemoryGrow
and ArrayBufferContents::refreshAfterMemoryGrow. However:

1. ArrayBufferContents::refreshAfterMemoryGrow does not update the m_data 
field, which is a direct
   pointer to the memory base.

2. Refreshing array buffer objects is not enough because a JSArrayBufferView 
has its own direct
   pointer into the underlying buffer's data (m_vector).

The patch makes the following changes to address this:

* JSTests/wasm/stress/resizable-buffer-grow-view-refresh.js: Added.
(i.catch):
* Source/JavaScriptCore/runtime/ArrayBuffer.cpp:
(JSC::ArrayBuffer::refreshAfterWasmMemoryGrow):
(JSC::ArrayBufferContents::refreshAfterWasmMemoryGrow):

Properly updates the m_data field.

* Source/JavaScriptCore/runtime/JSArrayBufferView.h:
* Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h:

A new method 'refreshVector' is added to be used by
ArrayBuffer::refreshAfterWasmMemoryGrow.

Test: JSTests/wasm/stress/resizable-buffer-grow-view-refresh.js

Originally-landed-as: 305413.190@safari-7624-branch (59c4a7a31ef6). 
rdar://173968863
Canonical link: https://commits.webkit.org/312285@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to