[Webkit-unassigned] [Bug 209333] New: br_table behavior

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 20 04:07:27 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=209333

            Bug ID: 209333
           Summary: br_table behavior
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mail at janmidtgaard.dk

Created attachment 394075

  --> https://bugs.webkit.org/attachment.cgi?id=394075&action=review

wasm program causing the crash

I'm running the prebuilt JavaScriptCore, version 258753 installed through jsvu https://bugs.webkit.org/show_bug.cgi?id=179945

Consider the following wasm program:

(module
  (type $0 (func))
  (type $1 (func (result f64)))
  (func $0 (type 0))
  (func $1
    (type 1)
    (loop (result f64) (f64.const 0.0) (i32.const 0) (br_table 1) (call 0))
    (br 0)
    (unreachable)
  )
  (export "runf64" (func 1))
)

and the corresponding JavaScript validating and calling the exported function:

  let buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,136,128,128,128,0,2,96,0,0,96,0,1,124,3,131,128,128,128,0,2,0,1,7,138,128,128,128,0,1,6,114,117,110,102,54,52,0,1,10,165,128,128,128,0,2,130,128,128,128,0,0,11,152,128,128,128,0,0,3,124,68,0,0,0,0,0,0,0,0,65,0,14,0,1,16,0,11,12,0,0,11 ]);

  print(WebAssembly.validate(buffer));
  let m = new WebAssembly.Instance(new WebAssembly.Module(buffer));
  print(m.exports.runf64().toString());

SpiderMonkey, V8, and Chakra all behave the same:

  $ sm jscissue3-validate-hyp-min.js
  true
  0
  $ v8 jscissue3-validate-hyp-min.js
  true
  0
  $ ch jscissue3-validate-hyp-min.js
  true
  0

However jsc loops as far as I can tell.

I think the cause is (br_table 1) executing with a 0 on top of the stack and an empty label list.
As I understand the standard https://webassembly.github.io/spec/core/exec/instructions.html#control-instructions
|l*| <= 0 and hence this should behave the same as (br 1), i.e., break out of the outermost control-context and therefore return. This agrees with the behavior of SpiderMonkey, V8, and Chakra.

Trying the above JS snippet in Safari 12.1.2 with AppleWebKit/605.1.15 I also get "true" and "0" as expected.
This may indicate a recent regression.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200320/2abd6bc3/attachment.htm>

More information about the webkit-unassigned mailing list