Bug 165639 - webassembly -> JS calls: arity fixup seems to bork value profile
Summary: webassembly -> JS calls: arity fixup seems to bork value profile
Status: RESOLVED DUPLICATE of bug 171707
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: JF Bastien
URL:
Keywords: InRadar
Depends on: 165591
Blocks: 161709
  Show dependency treegraph
 
Reported: 2016-12-08 17:22 PST by JF Bastien
Modified: 2017-05-12 15:54 PDT (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description JF Bastien 2016-12-08 17:22:18 PST
The following test should trigger a crash where we try to check value profiles and get an invalid cell:

(function Polyphic2Import() {
    let counterA = 0;
    let counterB = undefined;
    const counterASetter = v => { print("====A==="); counterA = v };
    const counterBSetter = (v, bogus) => { print("====B==="); counterB = { valueB: v } };
    const module = wasmModuleWhichImportJS();
    const instanceA = new WebAssembly.Instance(module, { imp: { func: counterASetter } });
    const instanceB = new WebAssembly.Instance(module, { imp: { func: counterBSetter } });
    for (let i = 0; i < 4096; ++i) {
        print(`Iteration ${i} A:`);
        instanceA.exports.changeCounter(i);
        assert.isA(counterA, "number");
        assert.eq(counterA, i + 42);
        print(`Iteration ${i} B:`);
        instanceB.exports.changeCounter(i);
        assert.isA(counterB, "object");
        assert.eq(counterB.valueB, i + 42);
    }
})();


Removing the `bogus` arg makes the bug go away.
Comment 1 Radar WebKit Bug Importer 2016-12-20 14:27:47 PST
<rdar://problem/29760296>
Comment 2 Keith Miller 2017-05-12 15:54:33 PDT
I think this was fixed by https://bugs.webkit.org/show_bug.cgi?id=171707. I'm going to close this.
Comment 3 Keith Miller 2017-05-12 15:54:48 PDT

*** This bug has been marked as a duplicate of bug 171707 ***