307564 – JSPI polish: revise the scanning of EvacuatedStackSlices

RESOLVED FIXED307564

JSPI polish: revise the scanning of EvacuatedStackSlices

https://bugs.webkit.org/show_bug.cgi?id=307564

Summary JSPI polish: revise the scanning of EvacuatedStackSlices

Vassili Bykov

Reported 2026-02-11 10:11:29 PST

In the MVP, EvacuatedStackSlices are registered as conservative roots. It's possible, even if unlikely, to have a WasmGC object in an evacuated slice that transitively references the PinballCompletion owning the slice. If the suspending promise of that pinball is forgotten everywhere else and never resolved, the remaining reference from the evacuated stack will keep it alive forever. Because evacuated stacks are conceptually owned by a pinball, they should be scanned as part of its children, not be treated as independent roots.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-02-11 10:11:35 PST

<rdar://problem/170156450>

Vassili Bykov

Comment 2 2026-04-16 14:43:25 PDT

Pull request: https://github.com/WebKit/WebKit/pull/62925

EWS

Comment 3 2026-04-28 18:09:04 PDT

Committed 312253@main (4c00d7bcee95): <https://commits.webkit.org/312253@main> Reviewed commits have been landed. Closing PR #62925 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Vassili Bykov

Reported

2026-02-11 10:11 PST

Modified

2026-04-28 18:09 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks