pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/WebKit/WebKit/pull/60820

com/assets/global-68dd150ce6c8e711.css" /> [JSC] Nested using blocks lose outer disposals by sosukesuzuki · Pull Request #60820 · WebKit/WebKit · GitHub
Skip to content

[JSC] Nested using blocks lose outer disposals#60820

Merged
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
sosukesuzuki:eng/nested-using-scope-vector-uaf
Mar 18, 2026
Merged

[JSC] Nested using blocks lose outer disposals#60820
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
sosukesuzuki:eng/nested-using-scope-vector-uaf

Conversation

@sosukesuzuki
Copy link
Contributor

@sosukesuzuki sosukesuzuki commented Mar 18, 2026
edited by webkit-early-warning-system
Loading

57a48c3

[JSC] Nested using blocks lose outer disposals
https://bugs.webkit.org/show_bug.cgi?id=310116

Reviewed by Yusuke Suzuki.

emitUsingBodyScope holds a reference into m_usingScopeStack across the
emitBody call that may recursively append. Once nesting exceeds the
initial Vector capacity, the append reallocates and the stale reference
reads a moved-from UsingScope whose slots vector is empty, so the
finally emits no dispose calls for those outer blocks. ASAN catches the
freed read directly.

Test: JSTests/stress/nested-using-blocks.js

* JSTests/stress/nested-using-blocks.js: Added.
(shouldBe):
(eval.string_appeared_here.string_appeared_here.repeat.depth.1.string_appeared_here.string_appeared_here.repeat):
(shouldBe.async then):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:

Canonical link: https://commits.webkit.org/309457@main

0eb25a1

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64 ✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🧪 jsc-armv7-tests
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@sosukesuzuki sosukesuzuki requested a review from a team as a code owner March 18, 2026 00:15
@sosukesuzuki sosukesuzuki self-assigned this Mar 18, 2026
@sosukesuzuki sosukesuzuki added the JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues. label Mar 18, 2026
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Mar 18, 2026
edited
Loading

EWS run on current version of this PR (hash 0eb25a1)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 win
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64 ✅ 🛠 ios-safer-cpp ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🛠 playstation
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv ✅ 🛠 mac-safer-cpp ✅ 🧪 jsc-armv7-tests
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@sosukesuzuki sosukesuzuki added the merge-queue Applied to send a pull request to merge-queue label Mar 18, 2026
@sosukesuzuki
[JSC] Nested using blocks lose outer disposals
57a48c3 
https://bugs.webkit.org/show_bug.cgi?id=310116

Reviewed by Yusuke Suzuki.

emitUsingBodyScope holds a reference into m_usingScopeStack across the
emitBody call that may recursively append. Once nesting exceeds the
initial Vector capacity, the append reallocates and the stale reference
reads a moved-from UsingScope whose slots vector is empty, so the
finally emits no dispose calls for those outer blocks. ASAN catches the
freed read directly.

Test: JSTests/stress/nested-using-blocks.js

* JSTests/stress/nested-using-blocks.js: Added.
(shouldBe):
(eval.string_appeared_here.string_appeared_here.repeat.depth.1.string_appeared_here.string_appeared_here.repeat):
(shouldBe.async then):
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:

Canonical link: https://commits.webkit.org/309457@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/nested-using-scope-vector-uaf branch from 0eb25a1 to 57a48c3 Compare March 18, 2026 06:16
@webkit-commit-queue
Copy link
Collaborator

webkit-commit-queue commented Mar 18, 2026

Committed 309457@main (57a48c3): https://commits.webkit.org/309457@main

Reviewed commits have been landed. Closing PR #60820 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 57a48c3 into WebKit:main Mar 18, 2026
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Constellation Constellation Constellation approved these changes

Assignees

@sosukesuzuki sosukesuzuki

Labels

JavaScriptCore For bugs in JavaScriptCore, the JS engine used by WebKit, other than kxmlcore issues.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sosukesuzuki @webkit-early-warning-system @webkit-commit-queue @Constellation
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy