[Webkit-unassigned] [Bug 186641] New: wasm marshalArgument unanble to correcly handle type B3:void

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 14 19:18:08 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=186641

            Bug ID: 186641
           Summary: wasm marshalArgument unanble to correcly handle type
                    B3:void
           Product: WebKit
           Version: WebKit Local Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dwfault at 163.com

Created attachment 342784

  --> https://bugs.webkit.org/attachment.cgi?id=342784&action=review

The sample would make jsc crash.

marshalArugument in WebAssembly of JavaScriptCore could not correcly handle type B3::void as argument function signature. Tested on git commit 


The byte 0x70 in section Type was added up to 0xf0, in:

    template<typename SuccessType>
    ALWAYS_INLINE bool Parser<SuccessType>::parseInt7(int8_t& result)
    {
        if (m_offset >= length())
            return false;
        uint8_t v = source()[m_offset++];
        result = (v & 0x40) ? WTF::bitwise_cast<int8_t>(uint8_t(v | 0x80)) : v;
        return (v & 0x80) == 0;
    }


    template<typename Functor>
    void loadArguments(const Signature& signature, B3::Procedure& proc, B3::BasicBlock* block, B3::Origin origin, const Functor& functor) const
    {
        B3::Value* framePointer = block->appendNew<B3::Value>(proc, B3::FramePointer, origin);

        size_t gpArgumentCount = 0;
        size_t fpArgumentCount = 0;
        size_t stackOffset = headerSize;

        for (size_t i = 0; i < signature.argumentCount(); ++i) {
            B3::Type type = toB3Type(signature.argument(i));                                           ---> In the function "toB3Type" byte 0xf0 is passed in, and B3::Void is returned.
            B3::Value* argument;
            B3::ValueRep rep = marshallArgument(type, gpArgumentCount, fpArgumentCount, stackOffset);    ---> In this function "marshallArgument", B3::Void cannot be handled correcly, which caused a crash.
            if (rep.isReg()) {
                argument = block->appendNew<B3::ArgumentRegValue>(proc, origin, rep.reg());
                if (type == B3::Int32 || type == B3::Float)
                    argument = block->appendNew<B3::Value>(proc, B3::Trunc, origin, argument);
            } else {
                ASSERT(rep.isStackArgument());
                B3::Value* address = block->appendNew<B3::Value>(proc, B3::Add, origin, framePointer,
                    block->appendNew<B3::Const64Value>(proc, origin, rep.offsetFromSP()));
                argument = block->appendNew<B3::MemoryValue>(proc, B3::Load, type, origin, address);
            }
            functor(argument, i);
        }
    }



The crash happened here:

    B3::ValueRep marshallArgument(B3::Type type, size_t& gpArgumentCount, size_t& fpArgumentCount, size_t& stackOffset) const
    {
        switch (type) {
        case B3::Int32:
        case B3::Int64:
            return marshallArgumentImpl(m_gprArgs, type, gpArgumentCount, stackOffset);
        case B3::Float:
        case B3::Double:
            return marshallArgumentImpl(m_fprArgs, type, fpArgumentCount, stackOffset);
        case B3::Void:
            break;
        }
        RELEASE_ASSERT_NOT_REACHED();     --->crash.
    }

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180615/fe2ee126/attachment.html>

More information about the webkit-unassigned mailing list