[webkit-changes] [WebKit/WebKit] 692b33: [WASM] Incorrect indexing in recursion group when ...

[David Degazio]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 692b33ef1461c482702b0d509bf65b79964a93d7
      https://github.com/WebKit/WebKit/commit/692b33ef1461c482702b0d509bf65b79964a93d7
  Author: David Degazio <d_degazio at apple.com>
  Date:   2024-09-12 (Thu, 12 Sep 2024)

  Changed paths:
    A JSTests/wasm/stress/multiple-recgroups.js
    A JSTests/wasm/stress/multiple-recgroups.wat
    M Source/JavaScriptCore/wasm/WasmSectionParser.cpp

  Log Message:
  -----------
  [WASM] Incorrect indexing in recursion group when checking subtype validity
https://bugs.webkit.org/show_bug.cgi?id=279527
rdar://134582688

Reviewed by Yusuke Suzuki.

Fixes a bug where we used an index to the list of types in a recursion group to
index into the module-global list of defined types. Also replaces placeholders
in the type up front instead of unrolling, since unroll() is a no-op on any
non-projection type, but non-projection types can still contain projections that
might be placeholders. Since the recursion group is done being defined here, we
substitute placeholders in order to be able to find the correct supertype, in case
that supertype is a projection.

* JSTests/wasm/stress/multiple-recgroups.js: Added.
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseRecursionGroup):

Canonical link: https://commits.webkit.org/283568@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications