[webkit-changes] [WebKit/WebKit] 456ffa: [Wasm-GC] Typedef unrolling cache should hold valu...

Wed, 13 Dec 2023 19:15:31 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 456ffae07aa82edcd3063baea83d87a83f75df2e
      
https://github.com/WebKit/WebKit/commit/456ffae07aa82edcd3063baea83d87a83f75df2e
  Author: Asumu Takikawa <as...@igalia.com>
  Date:   2023-12-13 (Wed, 13 Dec 2023)

  Changed paths:
    A JSTests/wasm/gc/bug265721.js
    M Source/JavaScriptCore/wasm/WasmParser.h
    M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.h

  Log Message:
  -----------
  [Wasm-GC] Typedef unrolling cache should hold values strongly
https://bugs.webkit.org/show_bug.cgi?id=265721

Reviewed by Justin Michaud.

This patch fixes two related issues. The main issue is that there is a cache
for type definition unrollings that didn't hold the values strongly, and since
these values are not held by the Wasm instance they could get de-allocated.
This could cause correctness issues or crashes.

That bug was in practice hard to trigger (though it did trigger on some large
compiled-to-wasm examples), because it was hidden by a second bug. The
placeholders in recursive types (used to delay type expansion to cut off
infinite expansion of recursive types) were also not held strongly by the
TypeInformation store, so they could also get de-allocated when an instance
gets collected. This bug makes memoization less effective but didn't affect
correctness.

This patch makes the placeholders held by the TypeInformation store itself,
similar to how special type signatures are held by the store. They are also
only allocated via a helper function now, which ensures the store holds the
typedef. It also fixes the cache by using RefPtr for the value type.

* JSTests/wasm/gc/typedef.js:
* Source/JavaScriptCore/wasm/WasmParser.h:
(JSC::Wasm::Parser<SuccessType>::parseValueType):
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseSubtype):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::TypeInformation::getPlaceholderProjection):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:

Canonical link: https://commits.webkit.org/272016@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to