RESOLVED FIXED186641
wasm marshalArgument unanble to correcly handle type B3:void 
https://bugs.webkit.org/show_bug.cgi?id=186641
Summary wasm marshalArgument unanble to correcly handle type B3:void
dwfault
Reported 2018-06-14 19:18:08 PDT
Created attachment 342784 [details] The sample would make jsc crash. marshalArugument in WebAssembly of JavaScriptCore could not correcly handle type B3::void as argument function signature. Tested on git commit The byte 0x70 in section Type was added up to 0xf0, in: template<typename SuccessType> ALWAYS_INLINE bool Parser<SuccessType>::parseInt7(int8_t& result) { if (m_offset >= length()) return false; uint8_t v = source()[m_offset++]; result = (v & 0x40) ? WTF::bitwise_cast<int8_t>(uint8_t(v | 0x80)) : v; return (v & 0x80) == 0; } template<typename Functor> void loadArguments(const Signature& signature, B3::Procedure& proc, B3::BasicBlock* block, B3::Origin origin, const Functor& functor) const { B3::Value* framePointer = block->appendNew<B3::Value>(proc, B3::FramePointer, origin); size_t gpArgumentCount = 0; size_t fpArgumentCount = 0; size_t stackOffset = headerSize; for (size_t i = 0; i < signature.argumentCount(); ++i) { B3::Type type = toB3Type(signature.argument(i)); ---> In the function "toB3Type" byte 0xf0 is passed in, and B3::Void is returned. B3::Value* argument; B3::ValueRep rep = marshallArgument(type, gpArgumentCount, fpArgumentCount, stackOffset); ---> In this function "marshallArgument", B3::Void cannot be handled correcly, which caused a crash. if (rep.isReg()) { argument = block->appendNew<B3::ArgumentRegValue>(proc, origin, rep.reg()); if (type == B3::Int32 || type == B3::Float) argument = block->appendNew<B3::Value>(proc, B3::Trunc, origin, argument); } else { ASSERT(rep.isStackArgument()); B3::Value* address = block->appendNew<B3::Value>(proc, B3::Add, origin, framePointer, block->appendNew<B3::Const64Value>(proc, origin, rep.offsetFromSP())); argument = block->appendNew<B3::MemoryValue>(proc, B3::Load, type, origin, address); } functor(argument, i); } } The crash happened here: B3::ValueRep marshallArgument(B3::Type type, size_t& gpArgumentCount, size_t& fpArgumentCount, size_t& stackOffset) const { switch (type) { case B3::Int32: case B3::Int64: return marshallArgumentImpl(m_gprArgs, type, gpArgumentCount, stackOffset); case B3::Float: case B3::Double: return marshallArgumentImpl(m_fprArgs, type, fpArgumentCount, stackOffset); case B3::Void: break; } RELEASE_ASSERT_NOT_REACHED(); --->crash. }
Attachments
The sample would make jsc crash. (511 bytes, application/x-javascript)
2018-06-14 19:18 PDT, dwfault 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
dwfault
Comment 1 2018-06-14 19:19:16 PDT
Tested on git commit 57ff755
Keith Miller
Comment 2 2018-08-08 20:03:31 PDT
I think this was fixed by: http://trac.webkit.org/r232970.
Radar WebKit Bug Importer
Comment 3 2018-08-08 20:04:25 PDT
<rdar://problem/43076679>
Note You need to log in before you can comment on or make changes to this bug.