[webkit-changes] [WebKit/WebKit] 5aa58c: [JSC][JSPI] PinballCompletion constraint should ca...

Tue, 05 May 2026 10:53:34 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5aa58c4befda2768d7af925efc177494ea0b5a52
      
https://github.com/WebKit/WebKit/commit/5aa58c4befda2768d7af925efc177494ea0b5a52
  Author: Vassili Bykov <[email protected]>
  Date:   2026-05-05 (Tue, 05 May 2026)

  Changed paths:
    M Source/JavaScriptCore/heap/Heap.cpp
    M Source/JavaScriptCore/heap/MarkedSpace.cpp
    M Source/JavaScriptCore/heap/MarkedSpace.h

  Log Message:
  -----------
  [JSC][JSPI] PinballCompletion constraint should call 
.prepareForConservativeScan()
https://bugs.webkit.org/show_bug.cgi?id=313828
rdar://176032974

Reviewed by Keith Miller.

This is a follow-up to the patch that introduced the "Pbc" (Pinball 
Completions) GC
constraint: https://github.com/WebKit/WebKit/pull/62925

The new constraint implicitly relies on the precise allocations snapshot, 
prepared by
MarkedSpace::prepareForConservativeScan() and used by 
ConservativeRoots::genericAddPointer(),
to be up-to-date. The snapshot is prepared by the "Cs" constraint but not by 
"Pbc" itself.
This only works when "Cs" runs prior to "Pbc" within the same fixpoint, which 
is the case
in the first two fixpoint iterations. In later iterations, the ordering is not 
guaranteed
as constraints are ordered by work estimates. If "Pbc" runs with a stale 
snapshot, the
allocations may have grown in the meantime, causing genericAddPointer() to read 
from a freed
buffer.

The fix is to call prepareForConservativeScan() in the "Pbc" constraint before 
the scan.
To avoid redundant work on repeated calls within a single stop-the-world pause, 
a
MarkedSpace::m_conservativeScanIsPrepared flag is added. 
prepareForConservativeScan()
skips the sort if the flag is already set. The flag is cleared by
MarkedSpace::resumeAllocating(), which runs every time the world resumes, 
ensuring the
precise allocations snapshot is rebuilt later after the mutator has had a 
chance to
allocate.

Testing: covered by the existing JSPI tests in an ASAN build.

* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* Source/JavaScriptCore/heap/MarkedSpace.cpp:
(JSC::MarkedSpace::prepareForConservativeScan):
(JSC::MarkedSpace::resumeAllocating):
* Source/JavaScriptCore/heap/MarkedSpace.h:

Canonical link: https://commits.webkit.org/312626@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to