247874 – [Wasm-GC] Fix refcounts for compound type definitions

RESOLVED FIXED 247874

[Wasm-GC] Fix refcounts for compound type definitions

https://bugs.webkit.org/show_bug.cgi?id=247874

Summary [Wasm-GC] Fix refcounts for compound type definitions

Asumu Takikawa

Reported 2022-11-13 19:02:56 PST

Currently the `JSTests/wasm/gc/sub.js` test suite can fail under certain conditions, e.g., running in continuous-collect mode. When running with ASAN, it reports a "heap-use-after-free" error. The problem is likely due to how refcounts are tracked for compound type definitions such as recursion groups and subtypes. For simple type definitions such as functions, structs, and arrays, the type signature list in a module holds RefPtrs to all the types. Compound types hold other types and must keep them live as well, in addition to the reference tracked by the module. This should just require some additional `ref/deref` at appropriate places (I'm not sure there is a good way to abstract this using Ref/RefPtr due to how type definitions are represented).

Attachments
Add attachment proposed patch, testcase, etc.

Asumu Takikawa

Comment 1 2022-11-15 13:46:01 PST

Pull request: https://github.com/WebKit/WebKit/pull/6527

EWS

Comment 2 2022-11-17 12:29:07 PST

Committed 256800@main (febd6818b5b7): <https://commits.webkit.org/256800@main> Reviewed commits have been landed. Closing PR #6527 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2022-11-17 12:30:19 PST

<rdar://problem/102480670>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebAssembly

Assignee

Nobody

Reported

2022-11-13 19:02 PST

Modified

2022-11-17 12:30 PST History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks

247394

Dependencies

tree graph