Bug 186641

Summary: wasm marshalArgument unanble to correcly handle type B3:void
Product: WebKit Reporter: dwfault
Component: WebAssemblyAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, keith_miller, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
The sample would make jsc crash. none

Description dwfault 2018-06-14 19:18:08 PDT 
Created attachment 342784 [details]
The sample would make jsc crash.

marshalArugument in WebAssembly of JavaScriptCore could not correcly handle type B3::void as argument function signature. Tested on git commit 


The byte 0x70 in section Type was added up to 0xf0, in:

    template<typename SuccessType>
    ALWAYS_INLINE bool Parser<SuccessType>::parseInt7(int8_t& result)
    {
        if (m_offset >= length())
            return false;
        uint8_t v = source()[m_offset++];
        result = (v & 0x40) ? WTF::bitwise_cast<int8_t>(uint8_t(v | 0x80)) : v;
        return (v & 0x80) == 0;
    }


    template<typename Functor>
    void loadArguments(const Signature& signature, B3::Procedure& proc, B3::BasicBlock* block, B3::Origin origin, const Functor& functor) const
    {
        B3::Value* framePointer = block->appendNew<B3::Value>(proc, B3::FramePointer, origin);

        size_t gpArgumentCount = 0;
        size_t fpArgumentCount = 0;
        size_t stackOffset = headerSize;

        for (size_t i = 0; i < signature.argumentCount(); ++i) {
            B3::Type type = toB3Type(signature.argument(i));                                           ---> In the function "toB3Type" byte 0xf0 is passed in, and B3::Void is returned.
            B3::Value* argument;
            B3::ValueRep rep = marshallArgument(type, gpArgumentCount, fpArgumentCount, stackOffset);    ---> In this function "marshallArgument", B3::Void cannot be handled correcly, which caused a crash.
            if (rep.isReg()) {
                argument = block->appendNew<B3::ArgumentRegValue>(proc, origin, rep.reg());
                if (type == B3::Int32 || type == B3::Float)
                    argument = block->appendNew<B3::Value>(proc, B3::Trunc, origin, argument);
            } else {
                ASSERT(rep.isStackArgument());
                B3::Value* address = block->appendNew<B3::Value>(proc, B3::Add, origin, framePointer,
                    block->appendNew<B3::Const64Value>(proc, origin, rep.offsetFromSP()));
                argument = block->appendNew<B3::MemoryValue>(proc, B3::Load, type, origin, address);
            }
            functor(argument, i);
        }
    }



The crash happened here:

    B3::ValueRep marshallArgument(B3::Type type, size_t& gpArgumentCount, size_t& fpArgumentCount, size_t& stackOffset) const
    {
        switch (type) {
        case B3::Int32:
        case B3::Int64:
            return marshallArgumentImpl(m_gprArgs, type, gpArgumentCount, stackOffset);
        case B3::Float:
        case B3::Double:
            return marshallArgumentImpl(m_fprArgs, type, fpArgumentCount, stackOffset);
        case B3::Void:
            break;
        }
        RELEASE_ASSERT_NOT_REACHED();     --->crash.
    }
Comment 1 dwfault 2018-06-14 19:19:16 PDT 
Tested on git commit 57ff755
Comment 2 Keith Miller 2018-08-08 20:03:31 PDT 
I think this was fixed by: http://trac.webkit.org/r232970.
Comment 3 Radar WebKit Bug Importer 2018-08-08 20:04:25 PDT 
<rdar://problem/43076679>