[webkit-changes] [WebKit/WebKit] 24362e: [JSC] Make wasm name section parsing threadsafe

Wed, 10 Jun 2026 21:36:17 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 24362e675175d25b0f1716c0590a94e930796b18
      
https://github.com/WebKit/WebKit/commit/24362e675175d25b0f1716c0590a94e930796b18
  Author: Shu-yu Guo <[email protected]>
  Date:   2026-06-10 (Wed, 10 Jun 2026)

  Changed paths:
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp
    M Source/JavaScriptCore/wasm/WasmCallee.cpp
    M Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp
    M Source/JavaScriptCore/wasm/WasmModuleInformation.cpp
    M Source/JavaScriptCore/wasm/WasmModuleInformation.h
    M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
    M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp
    M Source/JavaScriptCore/wasm/WasmPlan.cpp
    M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
    M Source/JavaScriptCore/wasm/WasmStreamingParser.cpp
    M Source/JavaScriptCore/wasm/debugger/WasmModuleDebugInfo.cpp
    M Source/WebCore/css/SelectorChecker.cpp

  Log Message:
  -----------
  [JSC] Make wasm name section parsing threadsafe
https://bugs.webkit.org/show_bug.cgi?id=309538
rdar://172053974

Reviewed by Yusuke Suzuki.

There is a race when parsing the wasm "name" custom section. Compiler threads
and the main thread may race on access of the name section.

This PR fixes the race by making the name section go through a rel/acq
accessor. Lifetime safety is upkept by holding onto the retired name section
(the initial empty one) when the parser finishes parsing a name section. For
simplicity, all name sections after the first one are ignored, as there is
no normative requirement on custom sections.

No test added as manual sleeping is required to widen the window to reproduce.

* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTopLevel):
* Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::OptimizingJITCallee::addCodeOrigin):
* Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp:
(JSC::Wasm::IPIntPlan::compileFunction):
* Source/JavaScriptCore/wasm/WasmModuleInformation.cpp:
(JSC::Wasm::ModuleInformation::ModuleInformation):
(JSC::Wasm::ModuleInformation::setNameSection):
* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::work):
* Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp:
(JSC::Wasm::OSREntryPlan::work):
* Source/JavaScriptCore/wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::signpostMessage const):
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseCustom):
* Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:
(JSC::Wasm::StreamingParser::finalize):

Originally-landed-as: 305413.432@rapid/safari-7624.2.5.110-branch 
(935ddf64e1d2). rdar://176067717
Canonical link: https://commits.webkit.org/314992@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to