Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f95be9ec7152778267faa35796dc68b559cba638
https://github.com/WebKit/WebKit/commit/f95be9ec7152778267faa35796dc68b559cba638
Author: Vassili Bykov <[email protected]>
Date: 2025-10-22 (Wed, 22 Oct 2025)
Changed paths:
A JSTests/wasm/regress/301229.js
M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
Log Message:
-----------
Wasm JS string builtins should be re-exported as WebAssemblyWrapperFunctions
https://bugs.webkit.org/show_bug.cgi?id=301229
rdar://163013276
Reviewed by Yusuke Suzuki.
When a Wasm JS string builtin is re-exported by a module, we use the
jsWrapper() of the
builtin (a JSFunction) as the exported object. This works for as long as the
exported
function is called from JavaScript or imported into other modules via the
normal import
route. However, the fuzzer case included as the test attempts to store that
JSFunction
directly into a Wasm function table. That fails because a function table
expects its
values to inherit from WebAssemblyFunctionBase, and a plain JSFunction doesn't.
This
causes an assertion failure in debug and asan builds and a crash in release
builds.
The patch tweaks export logic so that builtin jsWrapper() is wrapped into a
WebAssemblyWrapperFunction, just like re-exported "normal" JS functions.
Canonical link: https://commits.webkit.org/301963@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
