[webkit-changes] [WebKit/WebKit] 36a3e5: [Wasm] Fix JS Table.grow with a default value

Sat, 30 May 2026 08:48:06 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 36a3e59badd181416ef6d3ad629d9f93ba5added
      
https://github.com/WebKit/WebKit/commit/36a3e59badd181416ef6d3ad629d9f93ba5added
  Author: Keith Miller <[email protected]>
  Date:   2026-05-30 (Sat, 30 May 2026)

  Changed paths:
    A JSTests/stress/wasm-funcref-table-grow-gc-marking-gap.js
    A JSTests/wasm/stress/grow-funcref-table-with-default.js
    M Source/JavaScriptCore/wasm/WasmTable.cpp
    M Source/JavaScriptCore/wasm/WasmTable.h

  Log Message:
  -----------
  [Wasm] Fix JS Table.grow with a default value
https://bugs.webkit.org/show_bug.cgi?id=315856
rdar://177654868

Reviewed by Yusuke Suzuki.

The JS-API WebAssembly.Table.prototype.grow(delta, fillValue) routes through
Wasm::Table::grow with a non-null defaultValue. For a funcref table that path
only wrote slot.m_value with the supplied JSValue and never populated
slot.m_function, so call_indirect into a grown slot dereferenced a null rtt and
trapped with "signature does not match" instead of dispatching to the fill
function. Worse, after 313985@main introduced the m_function-based
Function::isEmpty() predicate, visitAggregateImpl skipped visiting m_value on
funcref slots where !m_function.rtt; slots populated only by Table::grow read as
empty, so the GC reclaimed the live wrapper and table.get returned a dangling
cell. The Wasm-side (table.grow ...) path is unaffected because it always passes
jsNull to Table::grow and then populates both halves of each slot via tableSet.

Centralize "set both halves of a funcref slot with a write barrier" into a new
FuncRefTable::Function::setFunction and call it from both 
FuncRefTable::setFunction
and Table::grow's funcref case. Also drop the visitAggregateImpl isEmpty()
short-circuit so a slot with a live m_value but a null m_function is still kept
alive by the GC as an extra precaution.

Tests: JSTests/stress/wasm-funcref-table-grow-gc-marking-gap.js
       JSTests/wasm/stress/grow-funcref-table-with-default.js

Canonical link: https://commits.webkit.org/314219@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to