[webkit-changes] [WebKit/WebKit] 70ce97: [JSC] WasmGC Array is broken for GC

Yusuke Suzuki noreply at github.com
Wed Jan 29 16:23:58 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 70ce977b3a9f54ffd4e29817fea13b9729d82545
      https://github.com/WebKit/WebKit/commit/70ce977b3a9f54ffd4e29817fea13b9729d82545
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2025-01-29 (Wed, 29 Jan 2025)

  Changed paths:
    A JSTests/wasm/stress/array-element-creation.js
    A JSTests/wasm/stress/resources/array-element-creation.wasm
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h

  Log Message:
  -----------
  [JSC] WasmGC Array is broken for GC
https://bugs.webkit.org/show_bug.cgi?id=285580
rdar://141144921

Reviewed by Keith Miller.

WasmGC Array is broken for GC in multiple ways. We carefully reviewed WasmGC
Array implementation. We found many issues, and this patch fixes them.

1. Doing GC while putting GC values in FixedVector. That's totally
   wrong. We fixed it by first creating WasmGC Array and modifying the
   contents later.
2. arrayNewElem is always creating I64 array, which is broken. We should
   create a specified typed array.
3. WasmGC Array copy implementation is using std::copy even for
   overlapping region. That's totally wrong, and it should use memmove.
   For GC-ref-types, we should use gcSafeMemmove.

* JSTests/wasm/stress/array-element-creation.js: Added.
* JSTests/wasm/stress/resources/array-element-creation.wasm: Added.
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::fillArray):
(JSC::Wasm::arrayNew):
(JSC::Wasm::copyElementsInReverse):
(JSC::Wasm::arrayNewFixed):
(JSC::Wasm::createArrayFromDataSegment):
(JSC::Wasm::arrayNewData):
(JSC::Wasm::arrayNewElem):
(JSC::Wasm::arrayInitElem):
(JSC::Wasm::arrayInitData):
(JSC::Wasm::createArrayValue): Deleted.
(JSC::Wasm::createArrayFromElementSegment): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.cpp:
(JSC::JSWebAssemblyArray::JSWebAssemblyArray):
(JSC::JSWebAssemblyArray::fill):
(JSC::JSWebAssemblyArray::copy):
(JSC::JSWebAssemblyArray::visitChildrenImpl):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::copyDataSegment):
(JSC::JSWebAssemblyInstance::copyElementSegment):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h:

Originally-landed-as: ac2bd207812a. rdar://143529972
Canonical link: https://commits.webkit.org/289530@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list