[webkit-changes] [WebKit/WebKit] 456ffa: [Wasm-GC] Typedef unrolling cache should hold valu...
Asumu Takikawa
noreply at github.com
Wed Dec 13 19:15:06 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 456ffae07aa82edcd3063baea83d87a83f75df2e
https://github.com/WebKit/WebKit/commit/456ffae07aa82edcd3063baea83d87a83f75df2e
Author: Asumu Takikawa <asumu at igalia.com>
Date: 2023-12-13 (Wed, 13 Dec 2023)
Changed paths:
A JSTests/wasm/gc/bug265721.js
M Source/JavaScriptCore/wasm/WasmParser.h
M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
Log Message:
-----------
[Wasm-GC] Typedef unrolling cache should hold values strongly
https://bugs.webkit.org/show_bug.cgi?id=265721
Reviewed by Justin Michaud.
This patch fixes two related issues. The main issue is that there is a cache
for type definition unrollings that didn't hold the values strongly, and since
these values are not held by the Wasm instance they could get de-allocated.
This could cause correctness issues or crashes.
That bug was in practice hard to trigger (though it did trigger on some large
compiled-to-wasm examples), because it was hidden by a second bug. The
placeholders in recursive types (used to delay type expansion to cut off
infinite expansion of recursive types) were also not held strongly by the
TypeInformation store, so they could also get de-allocated when an instance
gets collected. This bug makes memoization less effective but didn't affect
correctness.
This patch makes the placeholders held by the TypeInformation store itself,
similar to how special type signatures are held by the store. They are also
only allocated via a helper function now, which ensures the store holds the
typedef. It also fixes the cache by using RefPtr for the value type.
* JSTests/wasm/gc/typedef.js:
* Source/JavaScriptCore/wasm/WasmParser.h:
(JSC::Wasm::Parser<SuccessType>::parseValueType):
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseSubtype):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::TypeInformation::getPlaceholderProjection):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
Canonical link: https://commits.webkit.org/272016@main
More information about the webkit-changes
mailing list