[webkit-changes] [WebKit/WebKit] 0c0600: [JSC] Fix wasm callee cleanup to account for multi...

[Vassili Bykov]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0c06001c552225c38d91671a97e7e7087b6c4614
      
https://github.com/WebKit/WebKit/commit/0c06001c552225c38d91671a97e7e7087b6c4614
  Author: Vassili Bykov <v_by...@apple.com>
  Date:   2026-05-13 (Wed, 13 May 2026)

  Changed paths:
    M Source/JavaScriptCore/heap/ConservativeRoots.cpp
    M Source/JavaScriptCore/heap/ConservativeRoots.h
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/heap/Heap.h

  Log Message:
  -----------
  [JSC] Fix wasm callee cleanup to account for multiple conservative root scans
https://bugs.webkit.org/show_bug.cgi?id=314664
rdar://176914701

Reviewed by Keith Miller.

The cleanup of Wasm callees is currently done as part of conservative roots 
scan.
ConservativeRoots takes a snapshot of the current contents of
Heap::m_wasmCalleesPendingDestruction. During the scan, it records the wasm 
callees it
encounters. After the scan, any callees present in the snapshot but not 
encountered while
scanning are considered unreachable in this VM and removed from
m_wasmCalleesPendingDestruction. If this VM was the only one using the callee, 
the
callee's refcount reaches 0 and the callee is destroyed. (The snapshot is 
needed to avoid
accidentally dropping callees added to m_wasmCalleesPendingDestruction during 
concurrent
phases and not yet seen in the scan).

This scheme needs changing now that conservative roots are also scanned as part 
of
scanning JSPI evacuated stacks 
(https://bugs.webkit.org/show_bug.cgi?id=307564). The core
assumption that a callee present in the pending destruction snapshot and not 
seen during
the scan is now unreachable does not hold anymore. A callee may be held by an 
evacuated
stack and not be seen in the live stack scan by the Cs constraint, or it may be 
held by
the live stack and not seen in an evacuated stack scan by the Pbc constraint.

This patch moves callee finalization from ConservativeRoots into Heap. The 
pending
destruction snapshot and the set of discovered callees are now held by the 
Heap, set up in
the Begin phase. ConservativeRoots records discovered callees in that central 
Heap-owned
discovered set and Bloom filter. In the End phase, callees recorded in the 
snapshot and
not seen by any of the conservative scans are cleaned out of
m_wasmCalleesPendingDestruction.

Testing:

Exercised by JSPI tests when running in debug or ASAN builds. Old behavior was 
causing
flaky crashes on refcount checks or freed memory access, especially with
collectContinuously turned on.

Canonical link: https://commits.webkit.org/313167@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications