eliott/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird synced 2026-05-12 01:46:46 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
0bb987e809ff02ca4bc7776533a69394fb1bb932
ladybird/Libraries/LibJS/Runtime/WeakSet.cpp
Andreas Kling b9ec043b5a LibGC: Add live HeapBlock registry to fix weak container UAF 
Maintain a HashTable<HeapBlock*> of live heap blocks in the Heap,
updated on block creation and destruction.

Weak containers (WeakMap, WeakSet, WeakRef, FinalizationRegistry)
now check block liveness before accessing cell memory in their
remove_dead_cells() methods. This prevents use-after-free when
blocks have been freed during incremental sweeping.
2026-05-10 10:58:11 +02:00

70 lines
2.0 KiB
C++
Raw Blame History

/*
* Copyright (c) 2021, Idan Horowitz <idan.horowitz@serenityos.org>
*
* SPDX-License-Identifier: BSD-2-Clause
*/
#include <LibGC/HeapBlock.h>
#include <LibJS/Runtime/ExternalMemory.h>
#include <LibJS/Runtime/WeakSet.h>
namespace JS {
GC_DEFINE_ALLOCATOR(WeakSet);
GC::Ref<WeakSet> WeakSet::create(Realm& realm)
{
return realm.create<WeakSet>(realm.intrinsics().weak_set_prototype());
}
WeakSet::WeakSet(Object& prototype)
: Object(ConstructWithPrototypeTag::Tag, prototype)
, WeakContainer(heap())
{
}
bool WeakSet::weak_set_has(GC::Ptr<Cell> value) const
{
return m_values.contains(value);
}
void WeakSet::weak_set_add(GC::Ptr<Cell> value)
{
auto old_external_memory_size = external_memory_size();
m_values.set(value, AK::HashSetExistingEntryBehavior::Keep);
account_external_memory_change(old_external_memory_size);
}
bool WeakSet::weak_set_remove(GC::Ptr<Cell> value)
{
auto old_external_memory_size = external_memory_size();
auto did_remove = m_values.remove(value);
if (did_remove)
account_external_memory_change(old_external_memory_size);
return did_remove;
}
void WeakSet::remove_dead_cells(Badge<GC::Heap>)
{
m_values.remove_all_matching([this](Cell* cell) {
auto* block = GC::HeapBlock::from_cell(cell);
return !heap().is_live_heap_block(block) || cell->state() != Cell::State::Live || !cell->is_marked();
});
}
size_t WeakSet::external_memory_size() const
{
return saturating_add_external_memory_size(Object::external_memory_size(), hash_table_external_memory_size(m_values));
}
void WeakSet::account_external_memory_change(size_t old_external_memory_size)
{
auto new_external_memory_size = external_memory_size();
if (new_external_memory_size > old_external_memory_size)
heap().did_allocate_external_memory(new_external_memory_size - old_external_memory_size);
else if (old_external_memory_size > new_external_memory_size)
heap().did_free_external_memory(old_external_memory_size - new_external_memory_size);
}
}
Reference in New Issue View Git Blame Copy Permalink