Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5d2b2254f73f00fbcc457624d85f46381c1586b3
https://github.com/WebKit/WebKit/commit/5d2b2254f73f00fbcc457624d85f46381c1586b3
Author: Yusuke Suzuki <[email protected]>
Date: 2026-05-02 (Sat, 02 May 2026)
Changed paths:
R JSTests/stress/wasm-gc-realmless-structure.js
A JSTests/wasm/stress/wasm-cycle-collect-dupe-on-insert.js
A JSTests/wasm/stress/wasm-cycle-collect-intra-group-subtype.js
A JSTests/wasm/stress/wasm-cycle-collect-mutually-recursive-struct-array.js
A JSTests/wasm/stress/wasm-cycle-collect-observable.js
A JSTests/wasm/stress/wasm-cycle-collect-parse-failure.js
A JSTests/wasm/stress/wasm-cycle-collect-self-recursive-singleton.js
A JSTests/wasm/stress/wasm-gc-realmless-structure.js
M Source/JavaScriptCore/runtime/OptionsList.h
M Source/JavaScriptCore/tools/JSDollarVM.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
Log Message:
-----------
[JSC] Implement cycle-collector for RTT and RTTGroup
https://bugs.webkit.org/show_bug.cgi?id=313881
rdar://176076792
Reviewed by Yijia Huang.
This patch implements traditional Bacon-Rajan cycle collector for Wasm
RTT and RTTGroup. This is cheap and easy since we do this only when
TypeInformation::tryCleanup is explicitly called (instead of recording
all deref-ed RefCounted as PURPLE as a potential root of cycle).
Because TypeInformation lists all RTTs and RTTGroups, we do not need to
have tri-color graph traversal. So we can just perform as follows.
1. Traverse all of them and snapshot the refCount as
virtualRefCount.
2. Do trial-decrement: deref (virtualRefCount) from each edge.
3. Checking virtualRefCount after (2). If it is non-zero, this means
that this RTT / RTTGroup is retained outside of TypeInformation
registry. Thus they are really alive. Otherwise, it is actually dead.
4. From non-zero virtualRefCount, traverse the graph and virtually ref
the each edge. If RTT or RTTGroup becomes non-zero newly, then we
push it to the worklist. This basically marks all RTTs / RTTGroups
reachable from (3).
5. Finally, list all of RTTs and RTTGroups, if they are zero
virtualRefCount, break cycles and drop it from registry. Then they
will be destroyed.
Tests: JSTests/stress/wasm-cycle-collect-dupe-on-insert.js
JSTests/stress/wasm-cycle-collect-intra-group-subtype.js
JSTests/stress/wasm-cycle-collect-mutually-recursive-struct-array.js
JSTests/stress/wasm-cycle-collect-observable.js
JSTests/stress/wasm-cycle-collect-parse-failure.js
JSTests/stress/wasm-cycle-collect-self-recursive-singleton.js
* JSTests/wasm/stress/wasm-cycle-collect-dupe-on-insert.js: Added.
(uleb128):
(sleb128):
(encodeSection):
(buildMutualRecGroupBytes):
(buildSelfRecursiveSingletonBytes):
(churnPairs):
(verifyReclamation):
* JSTests/wasm/stress/wasm-cycle-collect-intra-group-subtype.js: Added.
(uleb128):
(sleb128):
(encodeSection):
(buildModuleBytes):
(churn):
* JSTests/wasm/stress/wasm-cycle-collect-mutually-recursive-struct-array.js:
Added.
(uleb128):
(sleb128):
(encodeSection):
(buildModuleBytes):
(churnModules):
* JSTests/wasm/stress/wasm-cycle-collect-observable.js: Added.
(uleb128):
(sleb128):
(encodeSection):
(buildModuleBytes):
(churnBatch):
* JSTests/wasm/stress/wasm-cycle-collect-parse-failure.js: Added.
(uleb128):
(sleb128):
(enc):
(buildFailingModule):
(churn):
(triggerCleanup):
(grew.Math.floor):
* JSTests/wasm/stress/wasm-cycle-collect-self-recursive-singleton.js: Added.
(uleb128):
(sleb128):
(encodeSection):
(buildModuleBytes):
(churnModules):
* JSTests/wasm/stress/wasm-gc-realmless-structure.js: Renamed from
JSTests/stress/wasm-gc-realmless-structure.js.
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::RTT::rewriteInternalRefs):
(JSC::Wasm::RTT::clearAllDisplayRefs):
(JSC::Wasm::RTT::setSelfDisplaySlot const):
(JSC::Wasm::TypeInformation::breakCyclesForReclamation):
(JSC::Wasm::SingletonSelfRef::operator() const):
(JSC::Wasm::CanonicalSingletonEntryHash::hash):
(JSC::Wasm::CanonicalSingletonEntryHash::equal):
(JSC::Wasm::TypeInformation::canonicalizeRecursionGroupImpl):
(JSC::Wasm::TypeInformation::canonicalizeSingletonImpl):
(JSC::Wasm::TypeInformation::tryCleanup):
(JSC::Wasm::TypeInformation::canonicalTypeCount):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::RTTFunctionPayload::forEachPayloadRTTRef const):
(JSC::Wasm::RTTStructPayload::forEachPayloadRTTRef const):
(JSC::Wasm::RTTArrayPayload::forEachPayloadRTTRef const):
(JSC::Wasm::CanonicalSingletonEntry::CanonicalSingletonEntry):
(WTF::HashTraits<JSC::Wasm::CanonicalSingletonEntry>::isEmptyValue):
Canonical link: https://commits.webkit.org/312485@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
