harivansh-afk/WebKit
1
0
Fork 0
mirror of https://github.com/harivansh-afk/WebKit.git synced 2026-04-15 08:03:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Guard against corrupted incoming calls list in CodeBlock::unlinkOrUpgradeIncomingCalls

Browse source 
A node in m_incomingCalls can have a null m_next pointer while still being
reachable through the list chain. When SentinelLinkedList::remove() is called
on such a node, it dereferences next->setPrev(prev) through null, causing a
segfault at address 0x8 (null + offsetof(m_prev)).

This has been observed during DFG-to-FTL tier-up in long-running processes
under heavy GC pressure (oven-sh/bun#21002). The fix adds two guards:
1. Null node check (sentinel's m_next is null)
2. Null m_next check on the node itself, with cleanup of m_prev to fully
   detach the corrupted node before breaking out of the loop.
This commit is contained in:
Hari 2026-04-05 16:16:35 -04:00
parent 9e17a57707
commit 5f2df4930b
1 changed files with 3840 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3840
Source/JavaScriptCore/bytecode/CodeBlock.cpp Normal file
View file

File diff suppressed because it is too large Load diff