Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 36445525ff262d12e96f124c6ca371286ffa9c3a
https://github.com/WebKit/WebKit/commit/36445525ff262d12e96f124c6ca371286ffa9c3a
Author: Dan Hecht <[email protected]>
Date: 2024-11-04 (Mon, 04 Nov 2024)
Changed paths:
A JSTests/wasm/stress/wasm-type-information-lifetimes.js
M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
Log Message:
-----------
[JSC] Fix Wasm::TypeInformation::tryCleanup() inconsistencies for Wasm GC
types
https://bugs.webkit.org/show_bug.cgi?id=282538
rdar://137225000
Reviewed by Yusuke Suzuki and Mark Lam.
There are two scenarios that can lead to inconstancies concerning
the liveness of Wasm::TypeInformation objects.
1. Races between TypeDefinition::deref() and TypeInformation::tryCleanup():
Suppose after the code to remove entries from m_unrollingCache or m_rttMap, a
another thread calls TypeDefinition::deref() and the ref count becomes 1.
Then, the final statement in tryCleanup() will remove the TypeDefinition
from m_typeSet, yet its pointer (cast to a TypeIndex) can still appear as a
key in m_unrollingCache and/or m_rttMap. Later, if that memory is reallocated
to another TypeDefinition, we can use that same pointer value as the key into
those maps and then chase stale unrolled TypeDefinitions or RTTs.
2. Some TypeDefinition types maintain reference counts to their dependencies.
The signature->cleanup() call takes care of deref() those counts (this is all
done manually due to the use of TypeIndex as the way to store references).
If signature->cleanup() causes a dependency to reach refCount()==1 and that
TypeInformation happens to appear later in the m_typeSet table traversal, then
again we can end up with stale keys in m_unrollingCache and m_rttMap.
Fix both of these scenarios by ensuring that removal from the three maps
occur together. Note that since we're holding the TypeInformation lock, no new
references can be taken when the ref count is 1 during this critical section.
* JSTests/wasm/stress/wasm-type-information-lifetimes.js: Added.
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::TypeDefinition::cleanup):
(JSC::Wasm::Subtype::cleanup):
(JSC::Wasm::Projection::cleanup):
(JSC::Wasm::RecursionGroup::cleanup):
(JSC::Wasm::TypeInformation::tryCleanup):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
Canonical link: https://commits.webkit.org/286124@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
