164786 – WebAssembly: trap on bad division.

Bug 164786 - WebAssembly: trap on bad division.

Summary: WebAssembly: trap on bad division.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Keith Miller

URL:
Keywords:	InRadar

Depends on:
Blocks:	163351
	Show dependency tree / graph

Reported:	2016-11-15 13:03 PST by Keith Miller
Modified:	2016-12-23 12:37 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (19.45 KB, patch) 2016-12-23 09:43 PST, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Patch (19.09 KB, patch) 2016-12-23 09:47 PST, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Patch (19.19 KB, patch) 2016-12-23 11:00 PST, Keith Miller	mark.lam: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Keith Miller 2016-11-15 13:03:47 PST

i.e. x / 0 or intMin / -1

Comment 1 Radar WebKit Bug Importer 2016-12-20 14:33:12 PST

<rdar://problem/29760386>

Comment 2 Keith Miller 2016-12-23 09:43:21 PST

Created attachment 297712 [details]
Patch

Comment 3 Keith Miller 2016-12-23 09:47:11 PST

Created attachment 297713 [details]
Patch

Comment 4 WebKit Commit Bot 2016-12-23 09:49:40 PST

This patch modifies one of the wasm.json files. Please ensure that any changes in one have been mirrored to the other. You can find the wasm.json files at "Source/JavaScriptCore/wasm/wasm.json" and "JSTests/wasm/wasm.json".

Comment 5 Mark Lam 2016-12-23 09:59:58 PST

Comment on attachment 297713 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=297713&action=review

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:1017
> +            m_currentBlock->appendNew<Value>(m_proc, BitOr, Origin(),

Should be BitAnd here.

Comment 6 Keith Miller 2016-12-23 11:00:06 PST

Created attachment 297717 [details]
Patch

Comment 7 Mark Lam 2016-12-23 11:02:51 PST

Comment on attachment 297717 [details]
Patch

r=me

Comment 8 Keith Miller 2016-12-23 11:09:30 PST

Committed r210137: <http://trac.webkit.org/changeset/210137>

Comment 9 Saam Barati 2016-12-23 12:35:25 PST

Comment on attachment 297717 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=297717&action=review

> Source/JavaScriptCore/wasm/WasmPlan.cpp:197
> +    uint32_t threadCount = Options::useConcurrentJIT() ? WTF::numberOfProcessorCores() : 1;

Nit: it might be worth just adding an option for this.

Comment 10 Saam Barati 2016-12-23 12:37:54 PST

Comment on attachment 297717 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=297717&action=review

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:1001
> +    const B3::Type type = left->type();

Nit: might be worth asserting its Int32 or Int64