WebKit

mirror of https://github.com/harivansh-afk/WebKit.git synced 2026-04-15 13:03:47 +00:00

History

Hari 5f2df4930b Guard against corrupted incoming calls list in CodeBlock::unlinkOrUpgradeIncomingCalls A node in m_incomingCalls can have a null m_next pointer while still being reachable through the list chain. When SentinelLinkedList::remove() is called on such a node, it dereferences next->setPrev(prev) through null, causing a segfault at address 0x8 (null + offsetof(m_prev)). This has been observed during DFG-to-FTL tier-up in long-running processes under heavy GC pressure (oven-sh/bun#21002). The fix adds two guards: 1. Null node check (sentinel's m_next is null) 2. Null m_next check on the node itself, with cleanup of m_prev to fully detach the corrupted node before breaking out of the loop.	2026-04-05 16:16:35 -04:00
..
bytecode	Guard against corrupted incoming calls list in CodeBlock::unlinkOrUpgradeIncomingCalls	2026-04-05 16:16:35 -04:00

Hari 5f2df4930b Guard against corrupted incoming calls list in CodeBlock::unlinkOrUpgradeIncomingCalls

A node in m_incomingCalls can have a null m_next pointer while still being
reachable through the list chain. When SentinelLinkedList::remove() is called
on such a node, it dereferences next->setPrev(prev) through null, causing a
segfault at address 0x8 (null + offsetof(m_prev)).

This has been observed during DFG-to-FTL tier-up in long-running processes
under heavy GC pressure (oven-sh/bun#21002). The fix adds two guards:
1. Null node check (sentinel's m_next is null)
2. Null m_next check on the node itself, with cleanup of m_prev to fully
   detach the corrupted node before breaking out of the loop.

2026-04-05 16:16:35 -04:00

bytecode

Guard against corrupted incoming calls list in CodeBlock::unlinkOrUpgradeIncomingCalls

2026-04-05 16:16:35 -04:00