[webkit-changes] [289182] trunk

Sun, 06 Feb 2022 14:22:47 -0800

Title: [289182] trunk
Revision
289182
Author
[email protected]
Date
2022-02-06 14:21:55 -0800 (Sun, 06 Feb 2022)

Log Message

[Wasm] ref.null check should be done first in B3 call_ref
https://bugs.webkit.org/show_bug.cgi?id=236206

Reviewed by Mark Lam.

JSTests:

* wasm.yaml:
* wasm/function-references-spec-tests/call-null-ref.wast.js: Added.

Source/_javascript_Core:

We should first check ref.null before loading data from the reference in B3 call_ref.

* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCallRef):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (289181 => 289182)


--- trunk/JSTests/ChangeLog	2022-02-06 21:10:45 UTC (rev 289181)
+++ trunk/JSTests/ChangeLog	2022-02-06 22:21:55 UTC (rev 289182)
@@ -1,3 +1,13 @@
+2022-02-06  Yusuke Suzuki  <[email protected]>
+
+        [Wasm] ref.null check should be done first in B3 call_ref
+        https://bugs.webkit.org/show_bug.cgi?id=236206
+
+        Reviewed by Mark Lam.
+
+        * wasm.yaml:
+        * wasm/function-references-spec-tests/call-null-ref.wast.js: Added.
+
 2022-02-06  Alexey Shvayka  <[email protected]>
 
         Object literal doesn't properly resolve name clash between an accessor and a constant property

Added: trunk/JSTests/wasm/function-references-spec-tests/call-null-ref.wast.js (0 => 289182)


--- trunk/JSTests/wasm/function-references-spec-tests/call-null-ref.wast.js	                        (rev 0)
+++ trunk/JSTests/wasm/function-references-spec-tests/call-null-ref.wast.js	2022-02-06 22:21:55 UTC (rev 289182)
@@ -0,0 +1,18 @@
+/*
+(module
+  (type $ii (func (param i32) (result i32)))
+
+  (func (export "null") (result i32)
+    (call_ref (i32.const 1) (ref.null $ii))
+  )
+)
+
+(assert_trap (invoke "null") "null function")
+*/
+
+// call-null-ref.wast:1
+let $1 = instance("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x8a\x80\x80\x80\x00\x02\x60\x01\x7f\x01\x7f\x60\x00\x01\x7f\x03\x82\x80\x80\x80\x00\x01\x01\x07\x88\x80\x80\x80\x00\x01\x04\x6e\x75\x6c\x6c\x00\x00\x0a\x8d\x80\x80\x80\x00\x01\x87\x80\x80\x80\x00\x00\x41\x01\xd0\x00\x14\x0b");
+
+// call-null-ref.wast:9
+for (let i = 0; i < 1e4; ++i)
+    assert_trap(() => call($1, "null", []));

Modified: trunk/JSTests/wasm.yaml (289181 => 289182)


--- trunk/JSTests/wasm.yaml	2022-02-06 21:10:45 UTC (rev 289181)
+++ trunk/JSTests/wasm.yaml	2022-02-06 22:21:55 UTC (rev 289182)
@@ -143,6 +143,8 @@
   cmd: runWebAssemblyFunctionReferenceSpecTest :normal
 - path: wasm/function-references-spec-tests/ref_null.wast.js
   cmd: runWebAssemblyFunctionReferenceSpecTest :normal
+- path: wasm/function-references-spec-tests/call-null-ref.wast.js
+  cmd: runWebAssemblyFunctionReferenceSpecTest :normal
 
 - path: wasm/spec-tests/address.wast.js
   cmd: runWebAssemblySpecTest :normal

Modified: trunk/Source/_javascript_Core/ChangeLog (289181 => 289182)


--- trunk/Source/_javascript_Core/ChangeLog	2022-02-06 21:10:45 UTC (rev 289181)
+++ trunk/Source/_javascript_Core/ChangeLog	2022-02-06 22:21:55 UTC (rev 289182)
@@ -1,3 +1,15 @@
+2022-02-06  Yusuke Suzuki  <[email protected]>
+
+        [Wasm] ref.null check should be done first in B3 call_ref
+        https://bugs.webkit.org/show_bug.cgi?id=236206
+
+        Reviewed by Mark Lam.
+
+        We should first check ref.null before loading data from the reference in B3 call_ref.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCallRef):
+
 2022-02-06  Cameron McCormack  <[email protected]>
 
         Cache the most recent AtomString produced by JSString::toIdentifier

Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (289181 => 289182)


--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2022-02-06 21:10:45 UTC (rev 289181)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2022-02-06 22:21:55 UTC (rev 289182)
@@ -3087,14 +3087,6 @@
     // can be to the embedder for our stack check calculation.
     m_maxNumJSCallArguments = std::max(m_maxNumJSCallArguments, static_cast<uint32_t>(args.size()));
 
-    Value* jsInstanceOffset = constant(pointerType(), safeCast<int32_t>(WebAssemblyFunctionBase::offsetOfInstance()));
-    Value* jsCalleeInstance = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
-        m_currentBlock->appendNew<Value>(m_proc, Add, origin(), callee, jsInstanceOffset));
-
-    Value* instanceOffset = constant(pointerType(), safeCast<int32_t>(JSWebAssemblyInstance::offsetOfInstance()));
-    Value* calleeInstance = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
-        m_currentBlock->appendNew<Value>(m_proc, Add, origin(), jsCalleeInstance, instanceOffset));
-
     // Check the target reference for null.
     {
         CheckValue* check = m_currentBlock->appendNew<CheckValue>(m_proc, Check, origin(),
@@ -3104,6 +3096,14 @@
         });
     }
 
+    Value* jsInstanceOffset = constant(pointerType(), safeCast<int32_t>(WebAssemblyFunctionBase::offsetOfInstance()));
+    Value* jsCalleeInstance = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
+        m_currentBlock->appendNew<Value>(m_proc, Add, origin(), callee, jsInstanceOffset));
+
+    Value* instanceOffset = constant(pointerType(), safeCast<int32_t>(JSWebAssemblyInstance::offsetOfInstance()));
+    Value* calleeInstance = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
+        m_currentBlock->appendNew<Value>(m_proc, Add, origin(), jsCalleeInstance, instanceOffset));
+
     Value* calleeCode = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
         m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(), callee,
             safeCast<int32_t>(WebAssemblyFunctionBase::offsetOfEntrypointLoadLocation())));

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to