Bug 307564
| Summary: | JSPI polish: revise the scanning of EvacuatedStackSlices | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Vassili Bykov <v_bykov> |
| Component: | JavaScriptCore | Assignee: | Vassili Bykov <v_bykov> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Vassili Bykov
In the MVP, EvacuatedStackSlices are registered as conservative roots. It's possible, even if unlikely, to have a WasmGC object in an evacuated slice that transitively references the PinballCompletion owning the slice. If the suspending promise of that pinball is forgotten everywhere else and never resolved, the remaining reference from the evacuated stack will keep it alive forever. Because evacuated stacks are conceptually owned by a pinball, they should be scanned as part of its children, not be treated as independent roots.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/170156450>
Vassili Bykov
Pull request: https://github.com/WebKit/WebKit/pull/62925
EWS
Committed 312253@main (4c00d7bcee95): <https://commits.webkit.org/312253@main>
Reviewed commits have been landed. Closing PR #62925 and removing active labels.