RESOLVED FIXED 266043
[Wasm-GC] Fix missing write barrier in BBQJIT struct.set 
https://bugs.webkit.org/show_bug.cgi?id=266043
Summary [Wasm-GC] Fix missing write barrier in BBQJIT struct.set
Asumu Takikawa
Reported 2023-12-07 17:02:39 PST
The following test crashes in the BBQJIT tier: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; const m1 = instantiate(` (module (type (struct (field i32))) (type (struct (field (mut (ref null 0))))) (func (export "f") (result (ref any)) (struct.new 1 (ref.null 0))) ) `); const struct = m1.exports.f() gc(); const m2 = instantiate(` (module (type (struct (field i32))) (type (struct (field (mut (ref null 0))))) (func (export "g") (param (ref 1)) (struct.set 1 0 (local.get 0) (struct.new 0 (i32.const 42)))) (func (export "h") (param (ref 1)) (result i32) (struct.get 0 0 (struct.get 1 0 (local.get 0)))) ) `); m2.exports.g(struct); edenGC(); assert.equals(m2.exports.h(struct), 42); ``` This is due to a missing write barrier, ensuring that the old object from module m1 has a reference to a new object in module m2 that will be traced.
Attachments
Add attachment proposed patch, testcase, etc.
Asumu Takikawa
Comment 1 2023-12-07 17:33:34 PST
Pull request: https://github.com/WebKit/WebKit/pull/21484
EWS
Comment 2 2023-12-08 09:45:41 PST
Committed 271740@main (50def56d3557): <https://commits.webkit.org/271740@main> Reviewed commits have been landed. Closing PR #21484 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2023-12-08 09:46:15 PST
<rdar://problem/119382549>
Note You need to log in before you can comment on or make changes to this bug.