[webkit-changes] [WebKit/WebKit] 3ec295: [JSC] Fix ref-counting issues with Wasm GC types

Tue, 05 Nov 2024 00:38:36 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3ec2959867b0ec050bc0d3c2c14147716da76f50
      
https://github.com/WebKit/WebKit/commit/3ec2959867b0ec050bc0d3c2c14147716da76f50
  Author: Dan Hecht <[email protected]>
  Date:   2024-11-05 (Tue, 05 Nov 2024)

  Changed paths:
    M Source/JavaScriptCore/wasm/WasmModuleInformation.h
    M Source/JavaScriptCore/wasm/WasmParser.h
    M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
    M Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h

  Log Message:
  -----------
  [JSC] Fix ref-counting issues with Wasm GC types
https://bugs.webkit.org/show_bug.cgi?id=282576
rdar://139244985

Reviewed by Yusuke Suzuki.

While parsing the wasm type section there are windows where
reference counts to a Wasm GC TypeDefinitions are not held
by the parser. During these windows, a
TypeInformation::tryCleanup() could free these
types out from under the parser. Close these windows.
Also add asserts to help verify and document.
The windows were:

1. parseRecursionGroup() needs to hold ref counts to each
element until it constructs the recursion group, which
takes ownership.

2. parseRecursionGroup() needs to create its projections
and hold references while they are being linked together.

3. While replacing placeholders, we need to be careful to
continue holding a ref count until the unrolling cache
takes ownership.

Also, RTT::tryCreateRTT() was missing an adoptRef which
I think would cause these to leak.

After parsing, everythng is owned by the parser's
WasmModuleInformation either directly, indirectly through
the TypeDefinition tree of (manual kept) ref counts, or
indirectly via the TypeInformation caches (which tie the
lifetime of the value to the key).

In addition to the added asserts, I also ran the
javascriptcore test with more instrumentation added
to TypeDefinition::deref() to help ensure references are no
longer dropped at the wrong times.

* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
* Source/JavaScriptCore/wasm/WasmParser.h:
(JSC::Wasm::ParserBase::parseValueType):
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseRecursionGroup):
(JSC::Wasm::SectionParser::parseSubtype):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::TypeDefinition::substitute):
(JSC::Wasm::substituteParent):
(JSC::Wasm::TypeDefinition::replacePlaceholders const):
(JSC::Wasm::TypeDefinition::unroll const):
(JSC::Wasm::RTT::tryCreateRTT):
(JSC::Wasm::TypeInformation::addCachedUnrolling):
(JSC::Wasm::TypeInformation::tryCleanup):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::TypeDefinition::unownedIndex const):
(JSC::Wasm::TypeDefinition::index const): Deleted.
* Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h:
(JSC::Wasm::TypeDefinition::index const):
(JSC::Wasm::TypeInformation::get):

Canonical link: https://commits.webkit.org/286140@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to