Bug 265469

Summary: Race condition in ARM64 disassembler initialization
Product: WebKit Reporter: David Degazio <d_degazio>
Component: JavaScriptCoreAssignee: David Degazio <d_degazio>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description David Degazio 2023-11-28 11:30:04 PST 
rdar://118890976

It's rare, but possible for two threads to initialize the ARM64 disassembler in JSC at the same time. If this happens, we run into problems in the following code:

    if (!opcodeTable[opcodeGroupNumber])
        opcodeTable[opcodeGroupNumber] = newOpcodeGroup;
    else
        lastGroups[opcodeGroupNumber]->setNext(newOpcodeGroup);
    lastGroups[opcodeGroupNumber] = newOpcodeGroup;

This code builds an array of linked lists of opcode groups. We can get an interleaving where:
  - Thread 1 hits the if statement, and sees the opcode table entry is null.
  - Thread 1 sets the opcode table entry to a new, non-null group.
  - Thread 2 hits the if statement, and sees the opcode table entry is now non-null.
  - Thread 2 continues to setNext on an element of lastGroups, but it's still null at this point! So we crash.

To fix this, we should just protect this initialization function with a lock.
Comment 1 David Degazio 2023-11-28 13:56:33 PST 
Pull request: https://github.com/WebKit/WebKit/pull/21015
Comment 2 EWS 2023-11-30 10:51:57 PST 
Committed 271350@main (48684d06eb78): <https://commits.webkit.org/271350@main>

Reviewed commits have been landed. Closing PR #21015 and removing active labels.