Diff
Modified: trunk/JSTests/ChangeLog (245894 => 245895)
--- trunk/JSTests/ChangeLog 2019-05-30 18:05:18 UTC (rev 245894)
+++ trunk/JSTests/ChangeLog 2019-05-30 18:06:09 UTC (rev 245895)
@@ -1,3 +1,12 @@
+2019-05-30 Justin Michaud <justin_mich...@apple.com>
+
+ oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
+ https://bugs.webkit.org/show_bug.cgi?id=198355
+
+ Reviewed by Saam Barati.
+
+ * wasm/references/is_null.js:
+
2019-05-30 Stephan Szabo <stephan.sz...@sony.com>
[PlayStation] Skip additional tests on PlayStation
Modified: trunk/JSTests/wasm/references/is_null.js (245894 => 245895)
--- trunk/JSTests/wasm/references/is_null.js 2019-05-30 18:05:18 UTC (rev 245894)
+++ trunk/JSTests/wasm/references/is_null.js 2019-05-30 18:06:09 UTC (rev 245895)
@@ -9,10 +9,13 @@
.Function("i")
.Function("j")
.Function("k")
+ .Function("local_read")
.End()
.Code()
- .Function("h", { params: ["anyref"], ret: "anyref" })
+ .Function("h", { params: ["anyref"], ret: "anyref" }, ["anyref"])
.GetLocal(0)
+ .SetLocal(1)
+ .GetLocal(1)
.End()
.Function("i", { params: [], ret: "anyref" })
@@ -29,6 +32,11 @@
.RefNull()
.RefIsNull()
.End()
+
+ .Function("local_read", { params: [], ret: "i32" }, ["anyref"])
+ .GetLocal(0)
+ .RefIsNull()
+ .End()
.End();
const bin = builder.WebAssembly().get();
@@ -51,6 +59,7 @@
assert.eq(instance.exports.j(undefined), 0)
assert.eq(instance.exports.k(), 1)
+assert.eq(instance.exports.local_read(), 1)
assert.eq(obj.test, "hi")
const obj2 = instance.exports.h(obj)
Modified: trunk/Source/_javascript_Core/ChangeLog (245894 => 245895)
--- trunk/Source/_javascript_Core/ChangeLog 2019-05-30 18:05:18 UTC (rev 245894)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-05-30 18:06:09 UTC (rev 245895)
@@ -1,3 +1,15 @@
+2019-05-30 Justin Michaud <justin_mich...@apple.com>
+
+ oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
+ https://bugs.webkit.org/show_bug.cgi?id=198355
+
+ Reviewed by Saam Barati.
+
+ Fix missing anyref case in addLocal.
+
+ * wasm/WasmAirIRGenerator.cpp:
+ (JSC::Wasm::AirIRGenerator::addLocal):
+
2019-05-29 Don Olmstead <don.olmst...@sony.com>
Remove ENABLE definitions from WebKit config files
Modified: trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp (245894 => 245895)
--- trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2019-05-30 18:05:18 UTC (rev 245894)
+++ trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2019-05-30 18:06:09 UTC (rev 245895)
@@ -879,6 +879,9 @@
auto local = tmpForType(type);
m_locals.uncheckedAppend(local);
switch (type) {
+ case Type::Anyref:
+ append(Move, Arg::imm(JSValue::encode(jsNull())), local);
+ break;
case Type::I32:
case Type::I64: {
append(Xor64, local, local);
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (245894 => 245895)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2019-05-30 18:05:18 UTC (rev 245894)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2019-05-30 18:06:09 UTC (rev 245895)
@@ -534,7 +534,8 @@
for (uint32_t i = 0; i < count; ++i) {
Variable* local = m_proc.addVariable(toB3Type(type));
m_locals.uncheckedAppend(local);
- m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), local, constant(toB3Type(type), 0, Origin()));
+ auto val = type == Anyref ? JSValue::encode(jsNull()) : 0;
+ m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), local, constant(toB3Type(type), val, Origin()));
}
return { };
}