[Webkit-unassigned] [Bug 252538] New: Incorrect generated LLInt code for structs containing ref fields
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Feb 18 16:31:20 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=252538
Bug ID: 252538
Summary: Incorrect generated LLInt code for structs containing
ref fields
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebAssembly
Assignee: webkit-unassigned at lists.webkit.org
Reporter: tjc at igalia.com
The following test:
```
//@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true")
import * as assert from "../assert.js";
import { compile, instantiate } from "./wast-wrapper.js";
function module(bytes, valid = true) {
let buffer = new ArrayBuffer(bytes.length);
let view = new Uint8Array(buffer);
for (let i = 0; i < bytes.length; ++i) {
view[i] = bytes.charCodeAt(i);
}
return new WebAssembly.Module(buffer);
}
function testStructDeclaration() {
let m = instantiate(`
(module
(type $a (array i32))
(type $s (struct (field (ref $a)) (field (ref $a)) (field (ref $a))))
(func $new (result (ref $s))
(struct.new_canon $s (array.new_canon_default $a (i32.const 5))
(array.new_canon_default $a (i32.const 17))
(array.new_canon_default $a (i32.const 0))))
(func (export "len0") (result i32)
(struct.get $s 0 (call $new))
(array.len))
(func (export "len1") (result i32)
(struct.get $s 1 (call $new))
(array.len))
(func (export "len2") (result i32)
(struct.get $s 2 (call $new))
(array.len)))`);
assert.eq(m.exports.len0(), 5);
assert.eq(m.exports.len1(), 17);
assert.eq(m.exports.len2(), 0);
}
testStructDeclaration();
```
fails on the second `assert.eq` call. LLInt generates the following bytecode for the `$new` function:
```
<?>.wasm-function[0] : () -> [Ref]
wasm size: 20 bytes
bytecode: 10 instructions (0 16-bit instructions, 3 32-bit instructions); 85 bytes; 0 parameter(s); 18 local(s); 22 callee register(s)
[ 0] enter
[ 1] **array_new dst:loc18, size:5(const0), value:<invalid>, typeIndex:0, arrayNewKind:1
[ 23] **array_new dst:loc19, size:17(const1), value:<invalid>, typeIndex:0, arrayNewKind:1
[ 45] **array_new dst:loc20, size:0(const2), value:<invalid>, typeIndex:0, arrayNewKind:1
[ 67] mov dst:loc19, src:loc20
[ 70] mov dst:loc20, src:loc19
[ 73] mov dst:loc21, src:loc18
[ 76] struct_new dst:loc18, typeIndex:1, useDefault:false, firstValue:loc21
[ 81] mov dst:loc4, src:loc18
[ 84] ret
```
This assigns loc20 (the third argument to struct.new) into loc19, overwriting the second argument to struct.new. So if we write `(struct.new_canon $s e1 e2 e3)`, the result is the struct `{ e1, e3, e3 }`.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230219/45f34245/attachment.htm>
More information about the webkit-unassigned
mailing list