[Webkit-unassigned] [Bug 247383] New: [WASM-Function-References] Fix block signature parsing for reftypes

Wed Nov 2 15:23:05 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=247383

            Bug ID: 247383
           Summary: [WASM-Function-References] Fix block signature parsing
                    for reftypes
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

Parsing of block signatures currently does not correctly account for ref types with type indices. Here is an example that illustrates the problem:

```
// Run this in JSTests/wasm/gc

import * as assert from "../assert.js";
import { compile, instantiate } from "./wast-wrapper.js";

  instantiate(`
(module
  (type (func))

  (func (export "run")
    (block (result (ref null func)) (ref.null 0)) ;; (ref null 0) <: (ref null func)
    (br 0)
  )
)
`).exports.run();
```

This program should validate (and does in the reference interpreter) but currently doesn't in JSC. The problem is that `(ref null func)` in the block signature is not parsed correctly; it gets turned into a ref type with an invalid 0 index.

This can be fixed by adding a special case to `parseBlockSignature` for ref types.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221102/4bf7742a/attachment.htm>