WebKit Bugzilla
Attachment 369626 Details for
Bug 197807
: Call to JSToWasmICCallee::createStructure passes in wrong prototype value
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
b-backup.diff (text/plain), 3.60 KB, created by
Saam Barati
on 2019-05-10 17:51:25 PDT
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2019-05-10 17:51:25 PDT
Size:
3.60 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 245202) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2019-05-10 Saam barati <sbarati@apple.com> >+ >+ Call to JSToWasmICCallee::createStructure passes in wrong prototype value >+ https://bugs.webkit.org/show_bug.cgi?id=197807 >+ <rdar://problem/50530400> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/js-to-wasm-callee-has-correct-prototype.js: Added. >+ (test.getInstance): >+ (test): >+ > 2019-05-10 Ross Kirsling <ross.kirsling@sony.com> > > [Test262] Unreviewed expectations update following r245188. >Index: JSTests/stress/js-to-wasm-callee-has-correct-prototype.js >=================================================================== >--- JSTests/stress/js-to-wasm-callee-has-correct-prototype.js (nonexistent) >+++ JSTests/stress/js-to-wasm-callee-has-correct-prototype.js (working copy) >@@ -0,0 +1,22 @@ >+//@ runDefault("--jitPolicyScale=0", "--useSamplingProfiler=1") >+ >+function test() { >+ function getInstance(bytes) { >+ let u8 = Uint8Array.from(bytes, x=>x.charCodeAt(0)); >+ let module = new WebAssembly.Module(u8.buffer); >+ return new WebAssembly.Instance(module); >+ } >+ >+ let webAsm = getInstance('\0asm\x01\0\0\0\x01\x8E\x80\x80\x80\0\x03`\0\x01\x7F`\0\x01\x7F`\x01\x7F\x01\x7F\x03\x88\x80\x80\x80\0\x07\0\0\0\x01\x01\x02\x02\x04\x85\x80\x80\x80\0\x01p\x01\x07\x07\x07\x91\x80\x80\x80\0\x02\x05callt\0\x05\x05callu\0\x06\t\x8D\x80\x80\x80\0\x01\0A\0\x0B\x07\0\x01\x02\x03\x04\0\x02\nÃ\x80\x80\x80\0\x07\x84\x80\x80\x80\0\0A\x01\x0B\x84\x80\x80\x80\0\0A\x02\x0B\x84\x80\x80\x80\0\0A\x03\x0B\x84\x80\x80\x80\0\0A\x04\x0B\x84\x80\x80\x80\0\0A\x05\x0B\x87\x80\x80\x80\0\0 \0\x11\0\0\x0B\x87\x80\x80\x80\0\0 \0\x11\x01\0\x0B'); >+ >+ for (let j = 0; j < 1000; j++) { >+ try { >+ webAsm.exports.callt(-1); >+ } catch(e) {} >+ } >+ >+ samplingProfilerStackTraces(); >+} >+ >+if (this.WebAssembly) >+ test(); >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 245197) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2019-05-10 Saam barati <sbarati@apple.com> >+ >+ Call to JSToWasmICCallee::createStructure passes in wrong prototype value >+ https://bugs.webkit.org/show_bug.cgi?id=197807 >+ <rdar://problem/50530400> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ We were passing the empty value instead of null. However, the empty >+ value means the Structure is poly proto. That's definitely not the case >+ here. >+ >+ * runtime/JSGlobalObject.cpp: >+ (JSC::JSGlobalObject::init): >+ > 2019-05-10 Yusuke Suzuki <ysuzuki@apple.com> > > [JSC] String substring operation should return ropes consistently >Index: Source/JavaScriptCore/runtime/JSGlobalObject.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/JSGlobalObject.cpp (revision 245197) >+++ Source/JavaScriptCore/runtime/JSGlobalObject.cpp (working copy) >@@ -1062,7 +1062,7 @@ putDirectWithoutTransition(vm, vm.proper > }); > m_jsToWasmICCalleeStructure.initLater( > [] (const Initializer<Structure>& init) { >- init.set(JSToWasmICCallee::createStructure(init.vm, init.owner, JSValue())); >+ init.set(JSToWasmICCallee::createStructure(init.vm, init.owner, jsNull())); > }); > m_webAssemblyWrapperFunctionStructure.initLater( > [] (const Initializer<Structure>& init) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=369626">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197807
: 369626