Commit 3ea51d46 authored by Clemens Hammacher's avatar Clemens Hammacher Committed by Commit Bot

[wasm][gc] Deregister foreground task in destructor

The platform is allowed to remove the foreground task without ever
executing it if the isolate is shutting down. This can happen
immediately when spawning the task. This would leave a stale pointer to
the deleted task in the engine, and can lead to UAF.
Thus deregister the task also from the destructor. At that point, we do
not need to report back any live code for that isolate.

R=ahaas@chromium.org

Bug: v8:8217, chromium:971293
Change-Id: I7081efde8f306649d08956e758254a8875db8271
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669694Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62312}
parent 85e6d4c2
......@@ -94,6 +94,16 @@ class WasmGCForegroundTask : public Task {
DCHECK_NOT_NULL(isolate);
}
~WasmGCForegroundTask() {
// If the isolate is already shutting down, the platform can delete this
// task without ever executing it. For that case, we need to deregister the
// task from the engine to avoid UAF.
if (isolate_) {
WasmEngine* engine = isolate_->wasm_engine();
engine->ReportLiveCodeForGC(isolate_, Vector<WasmCode*>{});
}
}
void Run() final {
if (isolate_ == nullptr) return; // cancelled.
WasmEngine* engine = isolate_->wasm_engine();
......@@ -105,6 +115,8 @@ class WasmGCForegroundTask : public Task {
}
#endif
engine->ReportLiveCodeForGC(isolate_, Vector<WasmCode*>{});
// Cancel to signal to the destructor that this task executed.
Cancel();
}
void Cancel() { isolate_ = nullptr; }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment