Bug 247874 - [Wasm-GC] Fix refcounts for compound type definitions
Summary: [Wasm-GC] Fix refcounts for compound type definitions
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebAssembly (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks: 247394
  Show dependency treegraph
 
Reported: 2022-11-13 19:02 PST by Asumu Takikawa
Modified: 2022-11-17 12:30 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Asumu Takikawa 2022-11-13 19:02:56 PST 
Currently the `JSTests/wasm/gc/sub.js` test suite can fail under certain conditions, e.g., running in continuous-collect mode. When running with ASAN, it reports a "heap-use-after-free" error.

The problem is likely due to how refcounts are tracked for compound type definitions such as recursion groups and subtypes. For simple type definitions such as functions, structs, and arrays, the type signature list in a module holds RefPtrs to all the types. Compound types hold other types and must keep them live as well, in addition to the reference tracked by the module. This should just require some additional `ref/deref` at appropriate places (I'm not sure there is a good way to abstract this using Ref/RefPtr due to how type definitions are represented).
Comment 1 Asumu Takikawa 2022-11-15 13:46:01 PST 
Pull request: https://github.com/WebKit/WebKit/pull/6527
Comment 2 EWS 2022-11-17 12:29:07 PST 
Committed 256800@main (febd6818b5b7): <https://commits.webkit.org/256800@main>

Reviewed commits have been landed. Closing PR #6527 and removing active labels.
Comment 3 Radar WebKit Bug Importer 2022-11-17 12:30:19 PST 
<rdar://problem/102480670>