RESOLVED FIXED265469
Race condition in ARM64 disassembler initialization 
https://bugs.webkit.org/show_bug.cgi?id=265469
Summary Race condition in ARM64 disassembler initialization
David Degazio
Reported 2023-11-28 11:30:04 PST
rdar://118890976 It's rare, but possible for two threads to initialize the ARM64 disassembler in JSC at the same time. If this happens, we run into problems in the following code: if (!opcodeTable[opcodeGroupNumber]) opcodeTable[opcodeGroupNumber] = newOpcodeGroup; else lastGroups[opcodeGroupNumber]->setNext(newOpcodeGroup); lastGroups[opcodeGroupNumber] = newOpcodeGroup; This code builds an array of linked lists of opcode groups. We can get an interleaving where: - Thread 1 hits the if statement, and sees the opcode table entry is null. - Thread 1 sets the opcode table entry to a new, non-null group. - Thread 2 hits the if statement, and sees the opcode table entry is now non-null. - Thread 2 continues to setNext on an element of lastGroups, but it's still null at this point! So we crash. To fix this, we should just protect this initialization function with a lock.
Attachments
Add attachment proposed patch, testcase, etc.
David Degazio
Comment 1 2023-11-28 13:56:33 PST
Pull request: https://github.com/WebKit/WebKit/pull/21015
EWS
Comment 2 2023-11-30 10:51:57 PST
Committed 271350@main (48684d06eb78): <https://commits.webkit.org/271350@main> Reviewed commits have been landed. Closing PR #21015 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.