Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 2c7725eac89e5dfa656a2826ef8ee17b31073f16
https://github.com/WebKit/WebKit/commit/2c7725eac89e5dfa656a2826ef8ee17b31073f16
Author: Vassili Bykov <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
A JSTests/wasm/regress/298194.js
A JSTests/wasm/spec-harness/wasm-module-builder-gc.js
M Source/JavaScriptCore/wasm/js/JSWebAssemblyArrayInlines.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.h
Log Message:
-----------
Cherry-pick 297297.401@safari-7622-branch (b064268a6980).
https://bugs.webkit.org/show_bug.cgi?id=298194
Ensure the TypeDefinition behind Wasm::Types in Wasm::FieldTypes is always
retained
https://bugs.webkit.org/show_bug.cgi?id=298194
rdar://159610385
Reviewed by Daniel Liu.
If the type of a field of a Wasm struct type A is another struct type B,
and type B is
represented in its module by a Subtype instance wrapping a StructType
instance, the
Wasm::Type of the FieldType in A ends up holding a raw pointer to the
Subtype instance.
The pointed-at Subtype instance in this situation is not explicitly
retained anywhere. The
WebAssemblyGCStructure of struct B retains a reference to the inner
StructType instance,
not the outer Subtype. The Subtype instance may get garbage-collected when
the
TypeInformation registry is cleaned up, leaving the pointer in Wasm::Type
of the field
dangling.
This issue is similar to the lifetime issues addressed in rdar://159278266,
however in
this case we can't fix it in a similar way by making FieldType retain its
TypeDefinition.
A FieldType is embedded in StructType and ArrayType, and in a module with
self-referential
or mutually referential struct and array types that would result in
reference-counted
cycles.
Instead, this patch ensures that the top-level Subtype instance is retained
in the same
way the underlying StructType or ArrayType are retained. The underlying
types are retained
by WebAssemblyGCStructure, which has a field holding a reference to the
underlying
TypeDefinition produced by the type expansion operation. The patch adds a
similar field to
retain the TypeDefinition before the expansion. If the expanded definition
is identical to
the unexpanded, this duplicate reference if harmless, but when it is not
this ensures that
the original definition which may have incoming pointers from Wasm::Types
survives long
enough.
Note: in the current ToT it might be sufficient to retain only the
unexpanded type, as
Subtype itself retains the underlying type. However, this patch is
submitted against the
security branch in which https://bugs.webkit.org/show_bug.cgi?id=297407
that introduced
the retention is not yet present.
Added the following files. The wasm-module-builder-gc.js is an up-to-date
snapshot
of wasm-module-builder.js with the features required by the test.
* JSTests/wasm/regress/298194.js: Added.
* JSTests/wasm/spec-harness/wasm-module-builder-gc.js: Added.
Canonical link: https://commits.webkit.org/297297.401@safari-7622-branch
Canonical link: https://commits.webkit.org/298234.283@webkitglib/2.50
Commit: 2b7bebc4537d515e9a7bb65e09449e075056b552
https://github.com/WebKit/WebKit/commit/2b7bebc4537d515e9a7bb65e09449e075056b552
Author: Vassili Bykov <[email protected]>
Date: 2025-11-10 (Mon, 10 Nov 2025)
Changed paths:
A JSTests/wasm/regress/298963.js
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.h
Log Message:
-----------
Cherry-pick 297297.432@safari-7622-branch (0ff0dfde5222).
https://bugs.webkit.org/show_bug.cgi?id=298963
WebAssemblyGCStructure should retain the transitive closure of all
referenced TypeDefinitions
https://bugs.webkit.org/show_bug.cgi?id=298963
rdar://160601609
Reviewed by Daniel Liu.
As the radar demonstrates, there is a fundamental problem in the existing
scheme of how GC
objects are associated with TypeDefinitions. A TypeDefinition representing
the type of a
GC object is related to a set of other TypeDefinitions: the expanded form
of the type as
well as the transitive closure of the types of struct fields and array
elements. Because
TypeDefinitions and some other system elements internally use raw pointers
to refer to
related TypeDefinitions, this entire set of type dependencies should stay
alive while the
GC object is alive.
The existing GC Object/TypeDefinition design uses GC object structures to
retain the
declared type of the object. Even if a GC object outlives its original Wasm
instance,
the structure stays alive together with the object and keeps the declared
type alive.
Unfortunately, as explained above, the declared type may depend on other
types, but
instances of those related types are not guaranteed to be around to keep
their
TypeDefinitions alive. The radar and the test case of this patch show an
example of a
struct A related to struct B, but without a live instance of B to keep
struct B's
TypeDefinition alive.
To address the root cause of this problem, we must make it so that for any
GC object type
T, all types T depends on are retained independently of the liveness of
their own
instances, for as long as there are live instances of T.
This patch makes WebAssemblyGCStructure collect and retain the set of all
relevant
TypeDefinitions. That includes the transitive closure of all
TypeDefinitions reachable via
struct fields and array elements, as well as the expanded and unexpanded
forms of the
declared type of the GC object. This set of dependencies is collected when
the structure
is created together with its Wasm instance, at a small fixed cost and with
no runtime
penalty.
(In the future, it might make sense to combine m_type and
m_typeDependencies in
WebAssemblyGCStructure and simplify instance creation by not requiring
expanded and
unexpanded types separately. However, at this time this code has
outstanding parallel
changes in two branches, so it will be easier to do such cleanups after
these changes
converge).
Canonical link: https://commits.webkit.org/297297.432@safari-7622-branch
Canonical link: https://commits.webkit.org/298234.284@webkitglib/2.50
Compare: https://github.com/WebKit/WebKit/compare/9b821c0cc81f...2b7bebc4537d
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
