Skip to content

[libpas] atomic-load gets CSE-ed while it can be changed concurrently#62315

Merged
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
Constellation:eng/libpas-atomic-load-gets-CSE-ed-while-it-can-be-changed-concurrently
Apr 9, 2026
Merged

[libpas] atomic-load gets CSE-ed while it can be changed concurrently#62315
webkit-commit-queue merged 1 commit intoWebKit:mainfrom
Constellation:eng/libpas-atomic-load-gets-CSE-ed-while-it-can-be-changed-concurrently

Conversation

@Constellation
Copy link
Copy Markdown
Member

@Constellation Constellation commented Apr 8, 2026
edited by webkit-early-warning-system
Loading

75529ed

[libpas] atomic-load gets CSE-ed while it can be changed concurrently
https://bugs.webkit.org/show_bug.cgi?id=311776
rdar://174363026

Reviewed by Marcus Plutowski.

This patch fixes two issues.

1. pas_compact_atomic_ptr's null check gets eliminated.

Since it is just a normal load and store, compiler can do CSE if no
current-thread's modification possibility is found. Given that this
atomic load / store is almost always for concurrent access, we should
just use atomic relaxed load and store.

2. Debug assertion failure via `pas_bitfit_directory_get_view`'s bound
   check in `pas_bitfit_directory_get_first_free_view` call.

When we call `pas_bitfit_directory_find_first_empty`, which reloads the
new max_size. so `found_empty_index.index` can be larger than the
previously loaded max_size. This leads to hitting a debug assertion
failure in pas_bitfit_directory_get_view since we get a size from a
old `directory`, and this obtained index and loading directory does not
have any dependencies. We put a dependency between then to get the fresh
up-to-date max_size for assertion.

* Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c:
(pas_bitfit_directory_get_first_free_view):
* Source/bmalloc/libpas/src/libpas/pas_compact_atomic_ptr.h:
* Source/bmalloc/libpas/src/libpas/pas_compact_tagged_atomic_ptr.h:
* Source/bmalloc/libpas/src/libpas/pas_utils.h:

Canonical link: https://commits.webkit.org/310860@main

d3b16ac

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 win ⏳ 🛠 ios-apple
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 🧪 win-tests ⏳ 🛠 mac-apple
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe ⏳ 🛠 vision-apple
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64 ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ❌ 🛠 playstation
✅ 🛠 🧪 unsafe-merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv ✅ 🧪 jsc-armv7-tests
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@Constellation Constellation self-assigned this Apr 8, 2026
@Constellation Constellation requested a review from a team as a code owner April 8, 2026 23:45
@Constellation Constellation added the bmalloc For bugs in bmalloc label Apr 8, 2026
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Apr 8, 2026
edited
Loading

EWS run on previous version of this PR (hash f0ae737)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ❌ 🛠 wpe 🛠 win loading 🛠 ios-apple
🛠 ios-sim ✅ 🛠 mac-AS-debug ❌ 🧪 wpe-wk2 🧪 win-tests loading 🛠 mac-apple
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac ❌ 🧪 api-wpe ⏳ 🛠 vision-apple
🧪 ios-wk2-wpt 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
🛠 🧪 jsc 🧪 api-ios 🧪 mac-wk1 ❌ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64 ✅ 🧪 mac-wk2 ❌ 🧪 gtk-wk2
🛠 vision 🧪 mac-AS-debug-wk2 ❌ 🧪 api-gtk
🛠 vision-sim ✅ 🧪 mac-wk2-stress 🛠 playstation
🧪 vision-wk2 🧪 mac-intel-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv 🧪 jsc-armv7-tests
🛠 tv-sim
🛠 watch
🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation removed the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation force-pushed the eng/libpas-atomic-load-gets-CSE-ed-while-it-can-be-changed-concurrently branch from f0ae737 to 5b85920 Compare April 9, 2026 01:24
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Apr 9, 2026
edited
Loading

EWS run on previous version of this PR (hash 5b85920)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios 🛠 mac 🛠 wpe 🛠 win ⏳ 🛠 ios-apple
🛠 ios-sim ✅ 🛠 mac-AS-debug 🧪 wpe-wk2 🧪 win-tests ⏳ 🛠 mac-apple
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac 🧪 api-wpe ⏳ 🛠 vision-apple
🧪 ios-wk2-wpt 🧪 api-mac-debug 🛠 gtk3-libwebrtc
🛠 🧪 jsc 🧪 api-ios 🧪 mac-wk1 ❌ 🛠 gtk
🛠 🧪 jsc-debug-arm64 🧪 mac-wk2 ❌ 🧪 gtk-wk2
🛠 vision 🧪 mac-AS-debug-wk2 ❌ 🧪 api-gtk
🛠 vision-sim 🧪 mac-wk2-stress 🛠 playstation
🧪 vision-wk2 🧪 mac-intel-wk2 🛠 jsc-armv7
🛠 tv 🧪 jsc-armv7-tests
🛠 tv-sim
🛠 watch
🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation removed the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation force-pushed the eng/libpas-atomic-load-gets-CSE-ed-while-it-can-be-changed-concurrently branch from 5b85920 to c4ffd8b Compare April 9, 2026 01:54
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Apr 9, 2026
edited
Loading

EWS run on previous version of this PR (hash c4ffd8b)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios 🛠 mac 🛠 wpe 🛠 win ✅ 🛠 ios-apple
🛠 ios-sim ✅ 🛠 mac-AS-debug 🧪 wpe-wk2 🧪 win-tests loading 🛠 mac-apple
✅ 🧪 webkitperl 🧪 ios-wk2 🧪 api-mac 🧪 api-wpe ✅ 🛠 vision-apple
🧪 ios-wk2-wpt 🧪 api-mac-debug 🛠 gtk3-libwebrtc
🛠 🧪 jsc 🧪 api-ios 🧪 mac-wk1 ❌ 🛠 gtk
🛠 🧪 jsc-debug-arm64 🧪 mac-wk2 ❌ 🧪 gtk-wk2
🛠 vision 🧪 mac-AS-debug-wk2 ❌ 🧪 api-gtk
🛠 vision-sim 🧪 mac-wk2-stress 🛠 playstation
🧪 vision-wk2 🧪 mac-intel-wk2 🛠 jsc-armv7
🛠 tv 🧪 jsc-armv7-tests
🛠 tv-sim
🛠 watch
🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation removed the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation force-pushed the eng/libpas-atomic-load-gets-CSE-ed-while-it-can-be-changed-concurrently branch from c4ffd8b to d3b16ac Compare April 9, 2026 02:05
@webkit-early-warning-system
Copy link
Copy Markdown
Collaborator

webkit-early-warning-system commented Apr 9, 2026
edited
Loading

EWS run on current version of this PR (hash d3b16ac)

Details

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows Apple Internal
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe 🛠 win ⏳ 🛠 ios-apple
✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 🧪 win-tests ⏳ 🛠 mac-apple
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe ⏳ 🛠 vision-apple
✅ 🧪 ios-wk2-wpt ✅ 🧪 api-mac-debug ✅ 🛠 gtk3-libwebrtc
✅ 🛠 🧪 jsc ✅ 🧪 api-ios ✅ 🧪 mac-wk1 ✅ 🛠 gtk
✅ 🛠 🧪 jsc-debug-arm64 ✅ 🧪 mac-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 api-gtk
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ❌ 🛠 playstation
✅ 🛠 🧪 unsafe-merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 jsc-armv7
✅ 🛠 tv ✅ 🧪 jsc-armv7-tests
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation removed the merging-blocked Applied to prevent a change from being merged label Apr 9, 2026
@Constellation Constellation added the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Apr 9, 2026
@Constellation
[libpas] atomic-load gets CSE-ed while it can be changed concurrently
75529ed 
https://bugs.webkit.org/show_bug.cgi?id=311776
rdar://174363026

Reviewed by Marcus Plutowski.

This patch fixes two issues.

1. pas_compact_atomic_ptr's null check gets eliminated.

Since it is just a normal load and store, compiler can do CSE if no
current-thread's modification possibility is found. Given that this
atomic load / store is almost always for concurrent access, we should
just use atomic relaxed load and store.

2. Debug assertion failure via `pas_bitfit_directory_get_view`'s bound
   check in `pas_bitfit_directory_get_first_free_view` call.

When we call `pas_bitfit_directory_find_first_empty`, which reloads the
new max_size. so `found_empty_index.index` can be larger than the
previously loaded max_size. This leads to hitting a debug assertion
failure in pas_bitfit_directory_get_view since we get a size from a
old `directory`, and this obtained index and loading directory does not
have any dependencies. We put a dependency between then to get the fresh
up-to-date max_size for assertion.

* Source/bmalloc/libpas/src/libpas/pas_bitfit_directory.c:
(pas_bitfit_directory_get_first_free_view):
* Source/bmalloc/libpas/src/libpas/pas_compact_atomic_ptr.h:
* Source/bmalloc/libpas/src/libpas/pas_compact_tagged_atomic_ptr.h:
* Source/bmalloc/libpas/src/libpas/pas_utils.h:

Canonical link: https://commits.webkit.org/310860@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/libpas-atomic-load-gets-CSE-ed-while-it-can-be-changed-concurrently branch from d3b16ac to 75529ed Compare April 9, 2026 20:43
@webkit-commit-queue
Copy link
Copy Markdown
Collaborator

webkit-commit-queue commented Apr 9, 2026

Committed 310860@main (75529ed): https://commits.webkit.org/310860@main

Reviewed commits have been landed. Closing PR #62315 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 75529ed into WebKit:main Apr 9, 2026
@webkit-commit-queue webkit-commit-queue removed the unsafe-merge-queue Applied to send a pull request to merge-queue, but skip building and testing label Apr 9, 2026
@rkirsling
Copy link
Copy Markdown
Member

rkirsling commented Apr 10, 2026

This broke PlayStation, as EWS indicated -- @Constellation could you fix?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Achierius Achierius Achierius approved these changes

Assignees

@Constellation Constellation

Labels

bmalloc For bugs in bmalloc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Constellation @webkit-early-warning-system @webkit-commit-queue @rkirsling @Achierius @webkit-ews-buildbot