[webkit-changes] [WebKit/WebKit] d61272: WebAssembly.Table prototype functions need to do s...

Keith Miller noreply at github.com
Tue Sep 10 12:26:59 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d612721aa438aac866eb2a46fd95bf866dc5bdb8
      https://github.com/WebKit/WebKit/commit/d612721aa438aac866eb2a46fd95bf866dc5bdb8
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-09-10 (Tue, 10 Sep 2024)

  Changed paths:
    M JSTests/wasm/function-references/ref_types.js
    M JSTests/wasm/gc/arrays.js
    M JSTests/wasm/gc/i31.js
    M JSTests/wasm/gc/js-api.js
    M JSTests/wasm/gc/structs.js
    M JSTests/wasm/references/table_js_api.js
    A JSTests/wasm/regress/js-table-bad-set-type.js
    M JSTests/wasm/v8/js-api.js
    M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
    M Source/JavaScriptCore/wasm/WasmTable.cpp
    M Source/JavaScriptCore/wasm/WasmTable.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyExceptionConstructor.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp

  Log Message:
  -----------
  WebAssembly.Table prototype functions need to do subtype checks
https://bugs.webkit.org/show_bug.cgi?id=279444
rdar://134785807

Reviewed by Yusuke Suzuki.

Table.prototype.set/grow don't check that the value they are inserting into the table is actually a subtype of the
funcref table's actual type. This patch fixes that. I also moved some of the verification logic into the table itself
rather than in the prototype function. This seems like a better abstraction since the checks are now done by the table
instead of any caller.

Also, convert a bunch of the RELEASE_ASSERTs into ASSERTs since they're unlikely be hit in practice at this point and
some of them e.g. isSubtype, could be reasonably expensive to do at runtime.

* JSTests/wasm/function-references/ref_types.js:
(async testRefTypesInTables):
* JSTests/wasm/gc/arrays.js:
* JSTests/wasm/gc/i31.js:
(testI31Table):
* JSTests/wasm/gc/js-api.js:
* JSTests/wasm/gc/structs.js:
* JSTests/wasm/references/table_js_api.js:
(async testTableGrowForFuncrefTables):
(async testTableSetForFuncrefTables):
* JSTests/wasm/regress/js-table-bad-set-type.js: Added.
(async test):
* JSTests/wasm/v8/js-api.js:
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::tableSet):
* Source/JavaScriptCore/wasm/WasmTable.cpp:
(JSC::Wasm::Table::copy):
(JSC::Wasm::Table::clear):
(JSC::Wasm::Table::set):
(JSC::Wasm::Table::get const):
(JSC::Wasm::FuncRefTable::setFunction):
(JSC::Wasm::FuncRefTable::copyFunction):
(JSC::Wasm::FuncRefTable::clear):
(JSC::Wasm::FuncRefTable::set):
* Source/JavaScriptCore/wasm/WasmTable.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h:
(JSC::toWebAssemblyValue):
(JSC::fromJSValue): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::get):
(JSC::JSWebAssemblyTable::set):
(JSC::JSWebAssemblyTable::clear):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyExceptionConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h:
(JSC::WebAssemblyFunctionBase::type const):
* Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/283434@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list