Fix DRC panic when overwriting an i31ref slot#13307
Open
vouillon wants to merge 2 commits intobytecodealliance:mainfrom
Open
Fix DRC panic when overwriting an i31ref slot#13307vouillon wants to merge 2 commits intobytecodealliance:mainfrom
vouillon wants to merge 2 commits intobytecodealliance:mainfrom
Conversation
Creates an `(array (mut anyref))` whose destination slots hold `i31ref`s and whose source slots hold `structref`s, then runs `array.copy`. Each element write hits the DRC `write_gc_ref` with `dest = Some(i31ref)` and a non-`i31ref` source: the higher-level write-barrier filter sees a real GC object on the source side and dispatches into the heap's barrier, which dec-refs the destination `i31ref`. Without the accompanying fix, this trips `debug_assert!(!gc_ref.is_i31())` inside `DrcHeap::dec_ref_and_maybe_dealloc`.
`DrcHeap::dec_ref_and_maybe_dealloc` lost its i31ref early-return when `dec_ref` was inlined into the deallocation loop, replacing the runtime check with a `debug_assert!(!gc_ref.is_i31())`. Callers like `write_gc_ref` (used by libcalls such as `array.copy`) hand the destination ref directly to `dec_ref_and_maybe_dealloc` without filtering i31s, so any write that overwrites an i31ref slot trips the assertion. Restore the i31 early-return at the entry of `dec_ref_and_maybe_dealloc`, matching the behavior of the original `dec_ref` helper.
github-actions
Bot
added
wasmtime:api
Subscribe to Label Actioncc @fitzgen DetailsThis issue or pull request has been labeled: "wasmtime:api", "wasmtime:ref-types"Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add an i31 early-return at the entry of
DrcHeap::dec_ref_and_maybe_dealloc, matching the behavior of the originaldec_refhelper.dec_ref_and_maybe_dealloclost its i31ref early-return whendec_refwas inlined into the deallocation loop (commit 5cca437 in #12974), replacing the runtime check with adebug_assert!(!gc_ref.is_i31()). Callers likewrite_gc_ref(used by libcalls such asarray.copy) hand the destination ref directly todec_ref_and_maybe_deallocwithout filtering i31s, so any write that overwrites an i31ref slot trips the assertion.