Bug 165639

Summary: webassembly -> JS calls: arity fixup seems to bork value profile
Product: WebKit Reporter: JF Bastien <jfbastien>
Component: JavaScriptCoreAssignee: JF Bastien <jfbastien>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ggaren, jfbastien, keith_miller, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 165591    
Bug Blocks: 161709    

JF Bastien
Reported 2016-12-08 17:22:18 PST
The following test should trigger a crash where we try to check value profiles and get an invalid cell: (function Polyphic2Import() { let counterA = 0; let counterB = undefined; const counterASetter = v => { print("====A==="); counterA = v }; const counterBSetter = (v, bogus) => { print("====B==="); counterB = { valueB: v } }; const module = wasmModuleWhichImportJS(); const instanceA = new WebAssembly.Instance(module, { imp: { func: counterASetter } }); const instanceB = new WebAssembly.Instance(module, { imp: { func: counterBSetter } }); for (let i = 0; i < 4096; ++i) { print(`Iteration ${i} A:`); instanceA.exports.changeCounter(i); assert.isA(counterA, "number"); assert.eq(counterA, i + 42); print(`Iteration ${i} B:`); instanceB.exports.changeCounter(i); assert.isA(counterB, "object"); assert.eq(counterB.valueB, i + 42); } })(); Removing the `bogus` arg makes the bug go away.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-12-20 14:27:47 PST
<rdar://problem/29760296>
Keith Miller
Comment 2 2017-05-12 15:54:33 PDT
I think this was fixed by https://bugs.webkit.org/show_bug.cgi?id=171707. I'm going to close this.
Keith Miller
Comment 3 2017-05-12 15:54:48 PDT
*** This bug has been marked as a duplicate of bug 171707 ***
Note You need to log in before you can comment on or make changes to this bug.