Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5c64352cd6cc1f867750171e0c4bd598b61fffff
https://github.com/WebKit/WebKit/commit/5c64352cd6cc1f867750171e0c4bd598b61fffff
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-10 (Wed, 10 Jun 2026)
Changed paths:
M Source/JavaScriptCore/runtime/CyclicModuleRecord.cpp
Log Message:
-----------
[JSC] `GatherAvailableAncestors` and `AsyncModuleExecutionRejected` can
overflow the stack on deep async module graphs
https://bugs.webkit.org/show_bug.cgi?id=316615
Reviewed by Yusuke Suzuki.
GatherAvailableAncestors[1] and AsyncModuleExecutionRejected[2] walk
[[AsyncParentModules]] with unguarded native recursion, so when the
top-level-await leaf of a long module chain settles, a deep enough
chain crashes with a hard stack overflow.
These operations are infallible and run from microtasks, so they cannot
throw a RangeError like InnerModuleEvaluation does. Instead, flatten
both recursions into explicit worklists. AsyncModuleExecutionRejected
pushes parents in reverse to preserve the spec's depth-first order,
which is observable through the rejection order of
[[TopLevelCapability]] promises.
[1]: https://tc39.es/ecma262/#sec-gather-available-ancestors
[2]: https://tc39.es/ecma262/#sec-async-module-execution-rejected
* Source/JavaScriptCore/runtime/CyclicModuleRecord.cpp:
(JSC::gatherAvailableAncestors):
(JSC::CyclicModuleRecord::asyncExecutionRejected):
Canonical link: https://commits.webkit.org/314989@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
