Bug 209632

Summary:

Clear the entropy bits in the encodedStructureBits when deallocating a structureID.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	saam: review+

Description Mark Lam 2020-03-26 17:14:20 PDT

We currently only use a 32-bit offset in the StructureIDTable's StructureOrOffset.  Though we will never store an offset value that is near 32-bit in size, let alone 64-bit, there's no reason why we can't just use all 64-bits for the offset.  Doing so will also have the benefit of zero'ing out the entropy bits in the old encodedStructureBits.  This guarantees there's no chance of coalition between a "freed" structureID's entropy bits and the entropy bits in a dead cell due to GC bugs.

Comment 1 Radar WebKit Bug Importer 2020-03-26 17:14:46 PDT

<rdar://problem/60943876>

Comment 2 Mark Lam 2020-03-26 17:21:20 PDT

Created attachment 394681 [details]
proposed patch.

Comment 3 Mark Lam 2020-03-26 23:38:46 PDT

Thanks for the review.  Landed in r259107: <http://trac.webkit.org/r259107>.