[10] WebAssemblyGCStructure skipped during end-of-GC weak-reference clearing
Severity: Medium | Component: JSC Heap finalisation | d55bf0c
Rated Medium because the diff restores end-of-full-GC weak-reference clearing for the Wasm-GC structure subspace; any surviving WebAssemblyGCStructure could retain stale internal pointers to freed cells, and re-reading those pointers after slot reuse would yield a UAF/type-confusion on a Wasm GC type descriptor.
Structure::finalizeUnconditionally must be called at GC end phase. Structure and BrandedStructure are done correctly, but WebAssemblyGCStructure is not.
Source/JavaScriptCore/heap/Heap.cpp
void Heap::finalizeUnconditionalFinalizers()
{
if (collectionScope == CollectionScope::Full) {
finalizeMarkedUnconditionalFinalizers<Structure>(structureSpace, collectionScope);
finalizeMarkedUnconditionalFinalizers<BrandedStructure>(brandedStructureSpace, collectionScope);
+#if ENABLE(WEBASSEMBLY)
+ finalizeMarkedUnconditionalFinalizers<WebAssemblyGCStructure>(webAssemblyGCStructureSpace, collectionScope);
+#endif
}
Patch Details
A single missing dispatch site is added: inside the CollectionScope::Full branch, finalizeMarkedUnconditionalFinalizers<WebAssemblyGCStructure>(webAssemblyGCStructureSpace, collectionScope) is now called alongside the existing Structure and BrandedStructure dispatches, gated by #if ENABLE(WEBASSEMBLY).
Missing dispatch of weak-reference finalization to a parallel allocator subspace, leaving stale internal pointers inside surviving Structure-like objects after full GC.
Background
JSC organises GC-managed cells into per-type subspaces (structureSpace, brandedStructureSpace, webAssemblyGCStructureSpace); each is iterated separately during collection. finalizeUnconditionally is a JSC GC hook called at the end of a collection on cells that survived marking, used to clear weak references whose targets did NOT survive — without it, a surviving object can still hold pointers to just-freed cells. Structure is the JSC type descriptor that records property layout, prototype, and transition links; many of these links are weak. WebAssemblyGCStructure is the Structure subclass that backs Wasm GC types (structs/arrays with RTT and supertype chains) introduced by the WebAssembly GC proposal. Full GC (CollectionScope::Full) scans the entire heap, so weak slots inside Structures must be cleared then.
Analysis
The full-GC end-phase dispatcher iterated Structure::finalizeUnconditionally over Structure and BrandedStructure instances but never invoked the same finalizer on the parallel WebAssemblyGCStructure subspace. Structure::finalizeUnconditionally walks weak internal references (transition tables, cached prototype/parent references, similar weak slots) and clears those that point to cells which did not survive marking. Because the Wasm GC subspace was skipped, weak references inside surviving WebAssemblyGCStructure instances that pointed to cells freed during the same full collection were left untouched.
Aaaaa Aaa Aaaa Aa Aaaaa Aaaaa a Aaaaaaaaaa Aaaa Aa Aaaaa Aaa Aaaa Aa Aaa Aaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaaaaa Aaaaaaaa Aaa Aa Aaaaaaa Aa Aaaa Aa Aaa Aaaaaaaaaa Aaaa Aaaa Aaaaa Aa Aaaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaa a Aaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaa Aaa Aaaa Aaaaaaaa Aa Aaa Aaaaaaaaa Aaa Aaa Aa Aaaaaa Aaa a Aaaaaaaaa Aaaa Aaaaa Aa Aaaaaaaa Aaa Aaaaaaaa Aaa Aaaa a Aaaaa Aaaaaaaaa Aa Aa Aaaaaaa Aaaaa Aaa Aaaaa Aaaa Aa Aaaaaaaaa Aaaaa Aaaaaa a Aaaaaaaaaaaaaa Aa Aaaa Aaaaaaaaa Aaaaaaa a Aaaa Aa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaa Aa a Aaaaaaaa Aaaaaa a Aaaaaaaaaaaaa Aaa Aaaaaaaaaa
Aaaa Aaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaaa Aaaaaaaaaa Aaaaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaa Aaaaaaaaaaa Aa Aaaaaaa Aa Aaaaaaaa Aaa Aaa Aaaaaaaa Aaa Aaaaaaaaa Aaaa Aaaaa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaaaa Aa Aaa Aaaaaaaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaa Aaaa Aa a Aaaaaaa Aaaaaaaaa Aaaaaaaa Aaaaaaaaa Aa a Aaaaaaaaaaaa Aaaaaaaaaaa Aaaa Aaaaaaaa a Aaaaaaaaaaaaaa Aaaa Aa Aaaaa Aaaa Aaa Aaa Aaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaa Aaaaaa Aaaaaaaaa Aaaaaaaaaaaaaa Aaaaaaaaa Aaaaaaaaaaaaa Aaaaaaa a Aaaaaaaaa Aaaaa Aaa Aaaa Aaaa Aaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaaaaaaaa Aaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaa Aaaaaaaa Aaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaa Aaaaa Aaa Aaaaaaaa Aaa Aaa Aaaaaaa Aaaaa Aaa Aaa Aaa Aaaaaaaaa Aaaaaaaaa Aaaaaaaaa
🔒Detailed look at how a missing GC finalization dispatch can leave stale internal references behind, and the conditions under which that becomes more than a bookkeeping bug.
Subscribe to read more
Audit directions
a Aaa Aaa Aa Aaaaaaaa Aaaaaaaaaa Aaa a Aaaaaaaaaaaaaaaa Aaaaaaaa Aaa Aaaa a Aaaaaa Aa Aaaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaa Aaaaa Aaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaa Aaa Aaaaa Aaaa Aaaa Aaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaa Aaa Aaaaaaaaaa Aaaaaaaaa Aaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaa Aaaaa Aaaaaaaaaaaaaa Aaaaaaaaaa Aaaa Aaa Aaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaa Aaa Aaa Aaaa Aaa Aaaaaaaa Aaaaa
a Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaaa Aaaaaaaa Aa Aaaaa Aa Aaaa Aaaaaaaaaaaa Aaaaaa Aaaa Aaa Aaa Aaaaa Aaaaa Aaaaaaaa Aaaaaaa Aaaaa Aaa Aaaa Aaaaaaaaaaaaaaaaaaaa Aaaaaa Aa Aaaaaaaaaa Aaa Aaaaaaaa a Aaaa Aaaaa Aaaaa Aaaa Aaaaa Aaaaaaaaaaaaaaaa Aaaaaaaaa Aaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaaaa Aaaaaaaa Aaaaaaaaaa
a Aaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaa a Aaaaaaaa Aaaaaa Aaaaaaa Aaaaaaaa Aa Aaaa Aaaaaaaa Aaaaa Aaaaa Aaaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaaa Aaaaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaa Aa Aaaaaaa Aaaaa Aaaaaaaaa Aaa Aaaaaaaaaa Aa Aaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaa Aaa Aaa Aaaaaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a Aaaaa Aaaa Aa Aaaaaaaaaaaaaaa Aaaaaaaa Aaaaa Aaaaaaaaa Aaaaa Aaaaaa Aa Aaaaaaaaaaaaaaaaaaaaaaaa Aaaa Aaaa Aaaaaaaa Aaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaaaaa Aaaaaaa Aaaa Aa a Aaaaaaaaa Aaaaaaaaaaaaaaaa Aaaaa Aaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Aaa Aaaaa Aaa Aaaaaaaaaaaaaaaaaaaaaaaaa Aaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
🔒Multiple reusable audit patterns identified for GC-subspace dispatch symmetry and weak-reference cleanup, with concrete starting points in the JSC heap and Wasm GC layers.
Subscribe to read more