[webkit-changes] [WebKit/WebKit] 2e2ee4: [Wasm-GC] Use correct offsets when generating code...

Tim Chevalier noreply at github.com
Mon Mar 20 17:33:38 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2e2ee48591cd2f962f5554a4ab8831c9af2aa93f
      https://github.com/WebKit/WebKit/commit/2e2ee48591cd2f962f5554a4ab8831c9af2aa93f
  Author: Tim Chevalier <tjc at igalia.com>
  Date:   2023-03-20 (Mon, 20 Mar 2023)

  Changed paths:
    A JSTests/wasm/gc/bug252719.js
    M Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h

  Log Message:
  -----------
  [Wasm-GC] Use correct offsets when generating code for struct gets and sets in B3 and Air
https://bugs.webkit.org/show_bug.cgi?id=252719

Reviewed by Tadeu Zagallo and Justin Michaud.

The generated code for struct get and set operations was using the wrong offsets and overwriting
the header for the struct object's `m_payload.storage` field. Triggering the bug requires
a function call where the callee returns a struct and the caller performs a `struct.get` on the
result, and the callee is interpreted while the caller is compiled (or vice versa).

* JSTests/wasm/gc/bug252719.js: Added.
(module):
(testIntFields):
* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
(JSC::Wasm::ExpressionType>::addStructGet):
(JSC::Wasm::ExpressionType>::addStructSet):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitStructSet):
(JSC::Wasm::B3IRGenerator::addStructGet):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::StructType::StructType):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::StructType::offsetOfField const):
(JSC::Wasm::StructType::offsetOfField):
(JSC::Wasm::StructType::getFieldOffset const): Deleted.
(JSC::Wasm::StructType::getFieldOffset): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.cpp:
(JSC::JSWebAssemblyStruct::fieldPointer const):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyStruct.h:

Canonical link: https://commits.webkit.org/261899@main

More information about the webkit-changes mailing list