eliott/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird synced 2026-05-12 01:46:46 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
0bb987e809ff02ca4bc7776533a69394fb1bb932
ladybird/Libraries/LibJS/Runtime/WeakRef.cpp
Andreas Kling b9ec043b5a LibGC: Add live HeapBlock registry to fix weak container UAF 
Maintain a HashTable<HeapBlock*> of live heap blocks in the Heap,
updated on block creation and destruction.

Weak containers (WeakMap, WeakSet, WeakRef, FinalizationRegistry)
now check block liveness before accessing cell memory in their
remove_dead_cells() methods. This prevents use-after-free when
blocks have been freed during incremental sweeping.
2026-05-10 10:58:11 +02:00

65 lines
1.7 KiB
C++
Raw Blame History

/*
* Copyright (c) 2021-2022, Idan Horowitz <idan.horowitz@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <LibGC/HeapBlock.h>
#include <LibJS/Runtime/WeakRef.h>
namespace JS {
GC_DEFINE_ALLOCATOR(WeakRef);
GC::Ref<WeakRef> WeakRef::create(Realm& realm, Object& value)
{
return realm.create<WeakRef>(value, realm.intrinsics().weak_ref_prototype());
}
GC::Ref<WeakRef> WeakRef::create(Realm& realm, Symbol& value)
{
return realm.create<WeakRef>(value, realm.intrinsics().weak_ref_prototype());
}
WeakRef::WeakRef(Object& value, Object& prototype)
: Object(ConstructWithPrototypeTag::Tag, prototype)
, WeakContainer(heap())
, m_value(&value)
, m_last_execution_generation(vm().execution_generation())
{
}
WeakRef::WeakRef(Symbol& value, Object& prototype)
: Object(ConstructWithPrototypeTag::Tag, prototype)
, WeakContainer(heap())
, m_value(&value)
, m_last_execution_generation(vm().execution_generation())
{
}
void WeakRef::remove_dead_cells(Badge<GC::Heap>)
{
auto is_alive = m_value.visit(
[this](Cell* cell) -> bool {
auto* block = GC::HeapBlock::from_cell(cell);
return heap().is_live_heap_block(block) && cell->state() == Cell::State::Live && cell->is_marked();
},
[](Empty) -> bool { return true; });
if (is_alive)
return;
m_value = Empty {};
}
void WeakRef::visit_edges(Visitor& visitor)
{
Base::visit_edges(visitor);
if (vm().execution_generation() == m_last_execution_generation) {
auto* cell = m_value.visit([](Cell* cell) -> Cell* { return cell; }, [](Empty) -> Cell* { return nullptr; });
visitor.visit(cell);
}
}
}
Reference in New Issue View Git Blame Copy Permalink