Skip to content

Add missing stack map declaration for array.new_elem#12936

Merged
fitzgen merged 1 commit intobytecodealliance:mainfrom
fitzgen:array-new-elem-missing-stack-map
Apr 2, 2026
Merged

Add missing stack map declaration for array.new_elem#12936
fitzgen merged 1 commit intobytecodealliance:mainfrom
fitzgen:array-new-elem-missing-stack-map

Conversation

@fitzgen
Copy link
Copy Markdown
Member

@fitzgen fitzgen commented Apr 1, 2026

translate_array_new_elem created a GC reference (array ref) via a libcall but
did not call builder.declare_value_needs_stack_map() on the result. This meant
the reference was not included in stack maps at subsequent safepoints, so if a
GC occurred, the reference became stale (leading to use-after-free within the GC
heap sandbox).

Depends on #12935

@fitzgen fitzgen requested review from a team as code owners April 1, 2026 23:13
@fitzgen fitzgen requested review from cfallin and removed request for a team April 1, 2026 23:13
cfallin
cfallin approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@cfallin cfallin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+ on last commit

@github-actions github-actions Bot added cranelift Issues related to the Cranelift code generator cranelift:area:machinst Issues related to instruction selection and the new MachInst backend. labels Apr 2, 2026
@fitzgen
Add missing stack map declaration for array.new_elem
aaf4418 
`translate_array_new_elem` created a GC reference (array ref) via a libcall but
did not call `builder.declare_value_needs_stack_map()` on the result. This meant
the reference was not included in stack maps at subsequent safepoints, so if a
GC occurred, the reference became stale (leading to use-after-free within the GC
heap sandbox).
@fitzgen fitzgen force-pushed the array-new-elem-missing-stack-map branch from def2196 to aaf4418 Compare April 2, 2026 13:36
@fitzgen fitzgen enabled auto-merge April 2, 2026 13:36
@fitzgen fitzgen added this pull request to the merge queue Apr 2, 2026
Merged via the queue into bytecodealliance:main with commit e5b127c Apr 2, 2026
48 checks passed
@fitzgen fitzgen deleted the array-new-elem-missing-stack-map branch April 2, 2026 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cfallin cfallin cfallin approved these changes

Assignees

No one assigned

Labels

cranelift:area:machinst Issues related to instruction selection and the new MachInst backend. cranelift Issues related to the Cranelift code generator

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fitzgen @cfallin