WebKit Bugzilla
Attachment 370950 Details for
Bug 198355
: oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198355-20190529195016.patch (text/plain), 4.22 KB, created by
Justin Michaud
on 2019-05-30 10:26:28 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Justin Michaud
Created:
2019-05-30 10:26:28 PDT
Size:
4.22 KB
patch
obsolete
>Subversion Revision: 245878 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index c89b5047dc7360522708d7f5eea5b1786a4d6185..af258c7ac2517ad810ee22d02b4c41998be55bbe 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,15 @@ >+2019-05-29 Justin Michaud <justin_michaud@apple.com> >+ >+ oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016) >+ https://bugs.webkit.org/show_bug.cgi?id=198355 >+ >+ Reviewed by Saam Barati. >+ >+ Fix missing anyref case in addLocal. >+ >+ * wasm/WasmAirIRGenerator.cpp: >+ (JSC::Wasm::AirIRGenerator::addLocal): >+ > 2019-05-29 Don Olmstead <don.olmstead@sony.com> > > Remove ENABLE definitions from WebKit config files >diff --git a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >index ce524dfde94530e120abc8da79153d01f158029e..3f51d0b0fc42797341e864f807d527fc2446c0c1 100644 >--- a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >@@ -879,6 +879,9 @@ auto AirIRGenerator::addLocal(Type type, uint32_t count) -> PartialResult > auto local = tmpForType(type); > m_locals.uncheckedAppend(local); > switch (type) { >+ case Type::Anyref: >+ append(Move, Arg::imm(JSValue::encode(jsNull())), local); >+ break; > case Type::I32: > case Type::I64: { > append(Xor64, local, local); >diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >index 11b360373f4185cfffb8904ad2aa063b6c0b7333..3fb684b81f3be9714cc7979510267d5920de8e0a 100644 >--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >@@ -534,7 +534,8 @@ auto B3IRGenerator::addLocal(Type type, uint32_t count) -> PartialResult > for (uint32_t i = 0; i < count; ++i) { > Variable* local = m_proc.addVariable(toB3Type(type)); > m_locals.uncheckedAppend(local); >- m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), local, constant(toB3Type(type), 0, Origin())); >+ auto val = type == Anyref ? JSValue::encode(jsNull()) : 0; >+ m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), local, constant(toB3Type(type), val, Origin())); > } > return { }; > } >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index c2f72e89661e2d6a368a5a5fbf243b4d0e5fa10c..7b2a9a26aea07be682e1f5bddf8cae728252b049 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,12 @@ >+2019-05-29 Justin Michaud <justin_michaud@apple.com> >+ >+ oss-fuzz: jsc: Issue 15016: jsc: Abrt in JSC::Wasm::AirIRGenerator::addLocal (15016) >+ https://bugs.webkit.org/show_bug.cgi?id=198355 >+ >+ Reviewed by Saam Barati. >+ >+ * wasm/references/is_null.js: >+ > 2019-05-28 Dean Jackson <dino@apple.com> > > Implement Promise.allSettled >diff --git a/JSTests/wasm/references/is_null.js b/JSTests/wasm/references/is_null.js >index 52bcbf36a78259e1ba8fe4b50b18ce88c3024dfb..1c7bc578fa94926856871e82722d7bd680d3a6b9 100644 >--- a/JSTests/wasm/references/is_null.js >+++ b/JSTests/wasm/references/is_null.js >@@ -9,10 +9,13 @@ const builder = (new Builder()) > .Function("i") > .Function("j") > .Function("k") >+ .Function("local_read") > .End() > .Code() >- .Function("h", { params: ["anyref"], ret: "anyref" }) >+ .Function("h", { params: ["anyref"], ret: "anyref" }, ["anyref"]) > .GetLocal(0) >+ .SetLocal(1) >+ .GetLocal(1) > .End() > > .Function("i", { params: [], ret: "anyref" }) >@@ -29,6 +32,11 @@ const builder = (new Builder()) > .RefNull() > .RefIsNull() > .End() >+ >+ .Function("local_read", { params: [], ret: "i32" }, ["anyref"]) >+ .GetLocal(0) >+ .RefIsNull() >+ .End() > .End(); > > const bin = builder.WebAssembly().get(); >@@ -51,6 +59,7 @@ assert.eq(instance.exports.j(null), 1) > assert.eq(instance.exports.j(undefined), 0) > > assert.eq(instance.exports.k(), 1) >+assert.eq(instance.exports.local_read(), 1) > > assert.eq(obj.test, "hi") > const obj2 = instance.exports.h(obj)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370950">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198355
:
370900
|
370911
|
370914
|
370925
| 370950