[Webkit-unassigned] [Bug 247874] New: [Wasm-GC] Fix refcounts for compound type definitions

Sun Nov 13 19:02:56 PST 2022

https://bugs.webkit.org/show_bug.cgi?id=247874

            Bug ID: 247874
           Summary: [Wasm-GC] Fix refcounts for compound type definitions
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

Currently the `JSTests/wasm/gc/sub.js` test suite can fail under certain conditions, e.g., running in continuous-collect mode. When running with ASAN, it reports a "heap-use-after-free" error.

The problem is likely due to how refcounts are tracked for compound type definitions such as recursion groups and subtypes. For simple type definitions such as functions, structs, and arrays, the type signature list in a module holds RefPtrs to all the types. Compound types hold other types and must keep them live as well, in addition to the reference tracked by the module. This should just require some additional `ref/deref` at appropriate places (I'm not sure there is a good way to abstract this using Ref/RefPtr due to how type definitions are represented).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221114/9391818a/attachment-0001.htm>