[5] [JSC] Defer GC across direct eval cache key construction

Severity: High | Component: JSC interpreter | 32f1bfb

Rated High because the diff inserts a DeferGC across an interval where DirectEvalCodeCache::CacheLookupKey holds a raw StringImpl* extracted from a rope fiber; without it, GC during parser/profiler allocations can sweep the unreferenced fiber, leaving the cache key (and subsequent insertion) dereferencing freed memory.

JSC::eval() wraps the cache-miss compilation path in DeferGC. The key continues to be constructed as programStr.data.impl(); the deferral keeps the rope fiber alive across all GC-safepoint operations between key construction and cache insertion.

Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

+    DeferGC deferGC(vm);
     CacheLookupKey cacheKey { programStr.data.impl(), callerBytecodeIndex };
     ...
     // profiler hook, LiteralParser, collectClosureVariablesUnderTDZ, parser, insert

Raw StringImpl* lifetime escape: the eval cache key references a rope fiber whose only root is the on-stack rope, across GC-safepoint parser allocations.

Patch Details

DeferGC brackets the cache-miss branch from key construction through cache insertion. No reference is taken on the StringImpl directly; the deferral suppresses sweeping while the unreferenced fiber remains in play.

Background

DirectEvalCodeCache memoizes compiled DirectEvalExecutables per (StringImpl*, BytecodeIndex) to make repeated eval(sameString) at the same call site cheap. JSString::value() returns a StringViewWithUnderlyingString; for ropes, this resolves the rope and the resulting view aliases the contents of one of the rope's fiber JSStrings rather than holding an independent RefPtr<StringImpl>.

Analysis

Pre-fix, cacheKey.impl was the raw StringImpl* taken from programStr.data.impl(). After resolution, the rope's internal layout can mutate (rope flattening, substring sharing), and the fiber whose StringImpl lives in the key may become unreachable from the on-stack rope. The cache-miss branch then performs source-profiler hook, LiteralParser allocations for the sloppy-JSON eval fast path, collectClosureVariablesUnderTDZ, full parser allocations, and finally cache insertion — every step a potential GC safepoint.

a Aa Aa Aaa Aaaaaaaaa Aaa Aaaaa Aaa Aaaaaaaaaaaaaaa Aaaaaa Aaaaaaaaa Aaa Aaaaaaaaaaaa Aaaaaaaa Aa Aaaaa Aaa Aaaa Aaa Aaaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aa Aaa Aaaaaaaaa Aaaaa Aaaaaaaaa Aaaaaaaaaaaa Aaaaaa Aaa Aaaaaa Aa a Aaa Aaaaaaaa Aaaaaaa Aa Aaaa Aaa Aaaaaaaaaaaaaaaa Aaaaaaa Aaaaaaaa Aaaa Aaa Aaaa Aaaaaaaaa Aa Aaa Aaa Aaaaaaa Aaaa Aa Aaaaaa Aaaaaaa Aaaaaaaaaaa Aaaaa Aaaaaaa

Aaaa Aaaaaaa Aaa Aaaaaaaa Aaaaaaaaa Aa Aaaaa Aaaa Aaaaaaa Aaaa Aaaaaaaaaa Aaaaaa Aaaaaaaa Aaa Aaaaaaa Aaaaaaaaa Aa Aaaa Aaa Aa Aaaaaaaaaaaaaaaaaa Aaaa Aaaa Aa Aaaaaaaaa Aaaa Aaaaaaaaa Aaa a Aaaaaaaaaa Aaaaa Aa Aaa Aaaaaaaa Aaaaaaa Aa Aaa Aaaaaa

🔒

The ownership story behind this cache key — and why a string that looks rooted on the stack can be freed mid-eval — is dissected in depth, along with the escalation potential beyond a crash.

Subscribe to read more

Audit directions

a Aaaaaaaa Aaaaa Aa Aaaaaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaaaaaa Aaaaaaaaaa Aaaa Aaaaaaaaaaaaa Aaaaa Aaaa Aaaaaa Aaaaaaaa Aaa Aaaaa Aaaaaa Aaa Aaa Aa Aaaaaa a Aaaaaaaaaaaaaaaaaaaa Aa Aaaaaaaaaaa Aaaaa a Aaaaaaaaa Aaaa Aaaaa Aaaaa Aaaaaaaaaa
a Aaaaaaaaaaaaaaaaaaaaa Aaaaaaaaa Aaaa Aaaaaa Aaaaaaaaaaaaaa Aaaa Aa Aaaaaaaaaaa Aaaaa Aaa Aaaa Aaaa Aa Aaa Aaaaaa Aaaaa Aaa Aaaaaaaaaaaaaa Aaaaaaa Aaaaaaa
a Aaaaaaa Aaaaaaaaaaaaaa Aaaaa Aaaaaaaa Aaaa Aaaaaaa Aaaaaaaaaa Aaaaaaaa a Aaaaaa Aaaaaaaaa Aaaaaaa Aaaaaaaaaaaaaaa Aaaaa

🔒

Four reusable audit patterns identified covering raw-pointer cache keys, `JSString::value()` lifetime assumptions, rope mutation as a GC-reachability change, and `DeferGC` as a sentinel for unsafe pointers — each with concrete grep starting points.

Subscribe to read more