[Webkit-unassigned] [Bug 266249] New: [Wasm-GC] Avoid spurious assertion in JSWebAssemblyArray::set

Mon Dec 11 13:12:05 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=266249

            Bug ID: 266249
           Summary: [Wasm-GC] Avoid spurious assertion in
                    JSWebAssemblyArray::set
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

Example code (contributed by Zalim Bashorov):

```
(module
        ;; Test with a subtype as well.
        (type (sub (array (mut i16))))
        (global (mut (ref null 0)) (ref.null 0))
        (func (export "init")
          (global.set 0 (array.new 0 (i32.const 42) (i32.const 5)))
          (array.set 0 (global.get 0) (i32.const 3) (i32.and (i32.const 84) (i32.const 0xFFFF))))
        (func (export "get") (param i32) (result i32)
          (array.get_u 0 (global.get 0) (local.get 0)))
      )
```

This currently crashes in debug builds due to a spurious assertion in the array.set implementation.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231211/14f40fb7/attachment.htm>