[webkit-reviews] review granted: [Bug 198761] [WASM-References] Add support for Table.size, grow and fill instructions : [Attachment 372156] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 17 19:41:46 PDT 2019 

Yusuke Suzuki <ysuzuki at apple.com> has granted Justin Michaud
<justin_michaud at apple.com>'s request for review:
Bug 198761: [WASM-References] Add support for Table.size, grow and fill
instructions
https://bugs.webkit.org/show_bug.cgi?id=198761

Attachment 372156: Patch

https://bugs.webkit.org/attachment.cgi?id=372156&action=review




--- Comment #8 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 372156
  --> https://bugs.webkit.org/attachment.cgi?id=372156
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=372156&action=review

r=me

> Source/JavaScriptCore/wasm/WasmFunctionParser.h:307
> +	   switch ((ExtTableOpType) extOp) {

Use `static_cast<ExtTableOpType>(extOp)`.

> Source/JavaScriptCore/wasm/WasmInstance.cpp:90
> +    if (!newSize || *newSize == oldSize)
> +	   return -1;

delta = 0, returning -1, I think this is a spec bug. So, can we have a FIXME
comment here with an url pointing bugzilla issue about the spec bug?

> Source/JavaScriptCore/wasm/WasmInstance.cpp:107
> +    unsigned i = offset;
> +    unsigned n = count;

Can we use the names `offset` and `count` for the local variables instead?
Using `offset` and `count` is better than `i` and `n`.
Like, putting `unsafeOffset` and `unsafeCount` as parameters, validate with the
above if-statement, and copy them to the `unsigned` offset and count.

> Source/JavaScriptCore/wasm/WasmInstance.cpp:110
> +    if (i >= instance->table()->length() || i + n >
instance->table()->length())
> +	   return false;

I think only `i + n > instance->table()->length()` is OK. The maximum value of
i and n is INT32_MAX. INT32_MAX + INT32_MAX does not exceed UINT32_MAX, so we
do not need to consider about overflow too.

> Source/JavaScriptCore/wasm/WasmTable.cpp:130
> +    for (uint32_t i = m_length; i < allocatedLength(newLength); ++i)
> +	   m_jsValues.get()[i].setWithoutWriteBarrier(jsNull());
> +

This part is already fixed in https://trac.webkit.org/changeset/246487/webkit,
so it is not necessary.

More information about the webkit-reviews mailing list