Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 70ce977b3a9f54ffd4e29817fea13b9729d82545
https://github.com/WebKit/WebKit/commit/70ce977b3a9f54ffd4e29817fea13b9729d82545
Author: Yusuke Suzuki <[email protected]>
Date: 2025-01-29 (Wed, 29 Jan 2025)
Changed paths:
A JSTests/wasm/stress/array-element-creation.js
A JSTests/wasm/stress/resources/array-element-creation.wasm
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
Log Message:
-----------
[JSC] WasmGC Array is broken for GC
https://bugs.webkit.org/show_bug.cgi?id=285580
rdar://141144921
Reviewed by Keith Miller.
WasmGC Array is broken for GC in multiple ways. We carefully reviewed WasmGC
Array implementation. We found many issues, and this patch fixes them.
1. Doing GC while putting GC values in FixedVector. That's totally
wrong. We fixed it by first creating WasmGC Array and modifying the
contents later.
2. arrayNewElem is always creating I64 array, which is broken. We should
create a specified typed array.
3. WasmGC Array copy implementation is using std::copy even for
overlapping region. That's totally wrong, and it should use memmove.
For GC-ref-types, we should use gcSafeMemmove.
* JSTests/wasm/stress/array-element-creation.js: Added.
* JSTests/wasm/stress/resources/array-element-creation.wasm: Added.
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::fillArray):
(JSC::Wasm::arrayNew):
(JSC::Wasm::copyElementsInReverse):
(JSC::Wasm::arrayNewFixed):
(JSC::Wasm::createArrayFromDataSegment):
(JSC::Wasm::arrayNewData):
(JSC::Wasm::arrayNewElem):
(JSC::Wasm::arrayInitElem):
(JSC::Wasm::arrayInitData):
(JSC::Wasm::createArrayValue): Deleted.
(JSC::Wasm::createArrayFromElementSegment): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.cpp:
(JSC::JSWebAssemblyArray::JSWebAssemblyArray):
(JSC::JSWebAssemblyArray::fill):
(JSC::JSWebAssemblyArray::copy):
(JSC::JSWebAssemblyArray::visitChildrenImpl):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyArray.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:
(JSC::JSWebAssemblyInstance::copyDataSegment):
(JSC::JSWebAssemblyInstance::copyElementSegment):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h:
Originally-landed-as: ac2bd207812a. rdar://143529972
Canonical link: https://commits.webkit.org/289530@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
