Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d106624a1491c5311e04b2dee2056aa32c28869a
https://github.com/WebKit/WebKit/commit/d106624a1491c5311e04b2dee2056aa32c28869a
Author: Shu-yu Guo <[email protected]>
Date: 2026-01-26 (Mon, 26 Jan 2026)
Changed paths:
M Source/JavaScriptCore/interpreter/FrameTracers.h
M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
Log Message:
-----------
[JSC] Null out vm.topCallFrame in Wasm GC IPInt slow paths if needed
https://bugs.webkit.org/show_bug.cgi?id=306295
rdar://168907265
Reviewed by Yusuke Suzuki.
Wasm GC IPInt slow paths can trigger GC, which can update ShadowChicken.
Generally, IPInt updates topCallFrame just-in-time as needed (e.g. when
throwing a JS exception), so the value can be stale. ShadowChicken can read a
stale value and crash. Since Wasm frames don't participate in ShadowChicken,
which is for JS tail calls, null out topCallFrame in such slow paths.
There is no test as testing this is nondeterministic and flaky.
Canonical link: https://commits.webkit.org/306256@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
