Bug 266249

Summary:	[Wasm-GC] Avoid spurious assertion in JSWebAssemblyArray::set
Product:	WebKit	Reporter:	Asumu Takikawa <asumu>
Component:	WebAssembly	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Asumu Takikawa

Reported 2023-12-11 13:12:05 PST

Example code (contributed by Zalim Bashorov): ``` (module ;; Test with a subtype as well. (type (sub (array (mut i16)))) (global (mut (ref null 0)) (ref.null 0)) (func (export "init") (global.set 0 (array.new 0 (i32.const 42) (i32.const 5))) (array.set 0 (global.get 0) (i32.const 3) (i32.and (i32.const 84) (i32.const 0xFFFF)))) (func (export "get") (param i32) (result i32) (array.get_u 0 (global.get 0) (local.get 0))) ) ``` This currently crashes in debug builds due to a spurious assertion in the array.set implementation.

Attachments
Add attachment proposed patch, testcase, etc.

Asumu Takikawa

Comment 1 2023-12-11 13:36:26 PST

Pull request: https://github.com/WebKit/WebKit/pull/21650

Asumu Takikawa

Comment 2 2023-12-18 13:11:56 PST

Pull request: https://github.com/WebKit/WebKit/pull/21926

Radar WebKit Bug Importer

Comment 3 2023-12-18 13:13:12 PST

<rdar://problem/119830822>

EWS

Comment 4 2024-01-05 18:13:18 PST

Committed 272719@main (1e4c23e67107): <https://commits.webkit.org/272719@main> Reviewed commits have been landed. Closing PR #21650 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.