WebKit Bugzilla
Attachment 372220 Details for
Bug 198903
: [JSC] Grown region of WasmTable should be initialized with null
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198903-20190616012706.patch (text/plain), 5.78 KB, created by
Yusuke Suzuki
on 2019-06-16 01:27:07 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2019-06-16 01:27:07 PDT
Size:
5.78 KB
patch
obsolete
>Subversion Revision: 246441 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 65ee267357143c50676cb7e14a2d9ac568a2d18b..90b5885e2061d3a95fa2e3337bb705b87b36a2f1 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,22 @@ >+2019-06-16 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ [JSC] Grown region of WasmTable should be initialized with null >+ https://bugs.webkit.org/show_bug.cgi?id=198903 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Grown region of Wasmtable is now empty. We should initialize it with null. >+ We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to >+ align to the naming convention. >+ >+ * wasm/WasmTable.cpp: >+ (JSC::Wasm::Table::grow): >+ (JSC::Wasm::Table::visitAggregate): >+ (JSC::Wasm::Table::visitChildren): Deleted. >+ * wasm/WasmTable.h: >+ * wasm/js/JSWebAssemblyTable.cpp: >+ (JSC::JSWebAssemblyTable::visitChildren): >+ > 2019-06-13 Yusuke Suzuki <ysuzuki@apple.com> > > Yarr bytecode compilation failure should be gracefully handled >diff --git a/Source/JavaScriptCore/wasm/WasmTable.cpp b/Source/JavaScriptCore/wasm/WasmTable.cpp >index 13313468d160e85e519284e82dadc0a9adf68c03..b54645c642ee8b5ee0f32fb04ba4fb4fd802619c 100644 >--- a/Source/JavaScriptCore/wasm/WasmTable.cpp >+++ b/Source/JavaScriptCore/wasm/WasmTable.cpp >@@ -100,7 +100,7 @@ Optional<uint32_t> Table::grow(uint32_t delta) > if (!isValidLength(newLength)) > return WTF::nullopt; > >- auto checkedGrow = [&] (auto& container) { >+ auto checkedGrow = [&] (auto& container, auto initializer) { > if (newLengthChecked.unsafeGet() > allocatedLength(m_length)) { > Checked reallocSizeChecked = allocatedLength(newLengthChecked.unsafeGet()); > reallocSizeChecked *= sizeof(*container.get()); >@@ -110,19 +110,21 @@ Optional<uint32_t> Table::grow(uint32_t delta) > // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425 > container.realloc(reallocSize); > } >- for (uint32_t i = m_length; i < allocatedLength(newLength); ++i) >+ for (uint32_t i = m_length; i < allocatedLength(newLength); ++i) { > new (&container.get()[i]) std::remove_reference_t<decltype(*container.get())>(); >+ initializer(container.get()[i]); >+ } > return true; > }; > > if (auto* funcRefTable = asFuncrefTable()) { >- if (!checkedGrow(funcRefTable->m_importableFunctions)) >+ if (!checkedGrow(funcRefTable->m_importableFunctions, [] (auto&) { })) > return WTF::nullopt; >- if (!checkedGrow(funcRefTable->m_instances)) >+ if (!checkedGrow(funcRefTable->m_instances, [] (auto&) { })) > return WTF::nullopt; > } > >- if (!checkedGrow(m_jsValues)) >+ if (!checkedGrow(m_jsValues, [] (WriteBarrier<Unknown>& slot) { slot.setStartingValue(jsNull()); })) > return WTF::nullopt; > > setLength(newLength); >@@ -157,7 +159,7 @@ JSValue Table::get(uint32_t index) const > return m_jsValues.get()[index & m_mask].get(); > } > >-void Table::visitChildren(SlotVisitor& visitor) >+void Table::visitAggregate(SlotVisitor& visitor) > { > RELEASE_ASSERT(m_owner); > auto locker = holdLock(m_owner->cellLock()); >diff --git a/Source/JavaScriptCore/wasm/WasmTable.h b/Source/JavaScriptCore/wasm/WasmTable.h >index 4d57d4152cfa7b15ec3f15c616e7fc3b437ec6af..b1e2b5df4df1c645cf9b3302ea587a07feec8d6c 100644 >--- a/Source/JavaScriptCore/wasm/WasmTable.h >+++ b/Source/JavaScriptCore/wasm/WasmTable.h >@@ -76,7 +76,7 @@ class Table : public ThreadSafeRefCounted<Table> { > > Optional<uint32_t> grow(uint32_t delta); > >- void visitChildren(SlotVisitor&); >+ void visitAggregate(SlotVisitor&); > > protected: > Table(uint32_t initial, Optional<uint32_t> maximum, TableElementType = TableElementType::Anyref); >diff --git a/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp b/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp >index e441d0f713cef038f62447c1f108c6e44aa3e5f3..c709230949c0f1eff7583d9e73bdfd5124620f82 100644 >--- a/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp >+++ b/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp >@@ -80,7 +80,7 @@ void JSWebAssemblyTable::visitChildren(JSCell* cell, SlotVisitor& visitor) > ASSERT_GC_OBJECT_INHERITS(thisObject, info()); > > Base::visitChildren(thisObject, visitor); >- thisObject->table()->visitChildren(visitor); >+ thisObject->table()->visitAggregate(visitor); > } > > bool JSWebAssemblyTable::grow(uint32_t delta) >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index c64efc71170c2abb45edc2b59ac5ac0c4e016ecb..b5293991244a0e6ad503fa40b18be48fd7fb5983 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,13 @@ >+2019-06-16 Yusuke Suzuki <ysuzuki@apple.com> >+ >+ [JSC] Grown region of WasmTable should be initialized with null >+ https://bugs.webkit.org/show_bug.cgi?id=198903 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * wasm/stress/wasm-table-grow-initialize.js: Added. >+ (shouldBe): >+ > 2019-06-13 Yusuke Suzuki <ysuzuki@apple.com> > > Yarr bytecode compilation failure should be gracefully handled >diff --git a/JSTests/wasm/stress/wasm-table-grow-initialize.js b/JSTests/wasm/stress/wasm-table-grow-initialize.js >new file mode 100644 >index 0000000000000000000000000000000000000000..255635c9fa42bb79c5f92206730c99f504ddd439 >--- /dev/null >+++ b/JSTests/wasm/stress/wasm-table-grow-initialize.js >@@ -0,0 +1,13 @@ >+function shouldBe(actual, expected) { >+ if (actual !== expected) >+ throw new Error('bad value: ' + actual); >+} >+ >+var table = new WebAssembly.Table({ >+ element: "anyfunc", >+ initial: 20 >+}); >+ >+table.grow(5) >+for (var i = 0; i < 25; ++i) >+ shouldBe(table.get(i), null);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=372220">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198903
: 372220