Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d4b9e6993567d3c357637fb7c6f29e0685ba8ebe
https://github.com/WebKit/WebKit/commit/d4b9e6993567d3c357637fb7c6f29e0685ba8ebe
Author: Vassili Bykov <[email protected]>
Date: 2025-12-09 (Tue, 09 Dec 2025)
Changed paths:
A JSTests/wasm/regress/298194.js
A JSTests/wasm/spec-harness/wasm-module-builder-gc.js
M Source/JavaScriptCore/wasm/js/JSWebAssemblyArrayInlines.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.h
Log Message:
-----------
Ensure the TypeDefinition behind Wasm::Types in Wasm::FieldTypes is always
retained
https://bugs.webkit.org/show_bug.cgi?id=298194
rdar://159610385
Reviewed by Daniel Liu.
If the type of a field of a Wasm struct type A is another struct type B, and
type B is
represented in its module by a Subtype instance wrapping a StructType instance,
the
Wasm::Type of the FieldType in A ends up holding a raw pointer to the Subtype
instance.
The pointed-at Subtype instance in this situation is not explicitly retained
anywhere. The
WebAssemblyGCStructure of struct B retains a reference to the inner StructType
instance,
not the outer Subtype. The Subtype instance may get garbage-collected when the
TypeInformation registry is cleaned up, leaving the pointer in Wasm::Type of
the field
dangling.
This issue is similar to the lifetime issues addressed in rdar://159278266,
however in
this case we can't fix it in a similar way by making FieldType retain its
TypeDefinition.
A FieldType is embedded in StructType and ArrayType, and in a module with
self-referential
or mutually referential struct and array types that would result in
reference-counted
cycles.
Instead, this patch ensures that the top-level Subtype instance is retained in
the same
way the underlying StructType or ArrayType are retained. The underlying types
are retained
by WebAssemblyGCStructure, which has a field holding a reference to the
underlying
TypeDefinition produced by the type expansion operation. The patch adds a
similar field to
retain the TypeDefinition before the expansion. If the expanded definition is
identical to
the unexpanded, this duplicate reference if harmless, but when it is not this
ensures that
the original definition which may have incoming pointers from Wasm::Types
survives long
enough.
Note: in the current ToT it might be sufficient to retain only the unexpanded
type, as
Subtype itself retains the underlying type. However, this patch is submitted
against the
security branch in which https://bugs.webkit.org/show_bug.cgi?id=297407 that
introduced
the retention is not yet present.
Added the following files. The wasm-module-builder-gc.js is an up-to-date
snapshot
of wasm-module-builder.js with the features required by the test.
* JSTests/wasm/regress/298194.js: Added.
* JSTests/wasm/spec-harness/wasm-module-builder-gc.js: Added.
Originally-landed-as: 297297.401@safari-7622-branch (b064268a6980).
rdar://164215060
Canonical link: https://commits.webkit.org/304206@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
