Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 078fa38a67ae5fda4a4183978a1e765401f73999
https://github.com/WebKit/WebKit/commit/078fa38a67ae5fda4a4183978a1e765401f73999
Author: Vassili Bykov <[email protected]>
Date: 2025-12-11 (Thu, 11 Dec 2025)
Changed paths:
A JSTests/wasm/regress/298963.js
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyGCStructure.h
Log Message:
-----------
WebAssemblyGCStructure should retain the transitive closure of all referenced
TypeDefinitions
https://bugs.webkit.org/show_bug.cgi?id=298963
rdar://160601609
Reviewed by Daniel Liu.
As the radar demonstrates, there is a fundamental problem in the existing
scheme of how GC
objects are associated with TypeDefinitions. A TypeDefinition representing the
type of a
GC object is related to a set of other TypeDefinitions: the expanded form of
the type as
well as the transitive closure of the types of struct fields and array
elements. Because
TypeDefinitions and some other system elements internally use raw pointers to
refer to
related TypeDefinitions, this entire set of type dependencies should stay alive
while the
GC object is alive.
The existing GC Object/TypeDefinition design uses GC object structures to
retain the
declared type of the object. Even if a GC object outlives its original Wasm
instance,
the structure stays alive together with the object and keeps the declared type
alive.
Unfortunately, as explained above, the declared type may depend on other types,
but
instances of those related types are not guaranteed to be around to keep their
TypeDefinitions alive. The radar and the test case of this patch show an
example of a
struct A related to struct B, but without a live instance of B to keep struct
B's
TypeDefinition alive.
To address the root cause of this problem, we must make it so that for any GC
object type
T, all types T depends on are retained independently of the liveness of their
own
instances, for as long as there are live instances of T.
This patch makes WebAssemblyGCStructure collect and retain the set of all
relevant
TypeDefinitions. That includes the transitive closure of all TypeDefinitions
reachable via
struct fields and array elements, as well as the expanded and unexpanded forms
of the
declared type of the GC object. This set of dependencies is collected when the
structure
is created together with its Wasm instance, at a small fixed cost and with no
runtime
penalty.
(In the future, it might make sense to combine m_type and m_typeDependencies in
WebAssemblyGCStructure and simplify instance creation by not requiring expanded
and
unexpanded types separately. However, at this time this code has outstanding
parallel
changes in two branches, so it will be easier to do such cleanups after these
changes
converge).
Originally-landed-as: 297297.432@safari-7622-branch (0ff0dfde5222).
rdar://164213794
Canonical link: https://commits.webkit.org/304281@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
