RESOLVED FIXED266249
[Wasm-GC] Avoid spurious assertion in JSWebAssemblyArray::set 
https://bugs.webkit.org/show_bug.cgi?id=266249
Summary [Wasm-GC] Avoid spurious assertion in JSWebAssemblyArray::set
Asumu Takikawa
Reported 2023-12-11 13:12:05 PST
Example code (contributed by Zalim Bashorov): ``` (module ;; Test with a subtype as well. (type (sub (array (mut i16)))) (global (mut (ref null 0)) (ref.null 0)) (func (export "init") (global.set 0 (array.new 0 (i32.const 42) (i32.const 5))) (array.set 0 (global.get 0) (i32.const 3) (i32.and (i32.const 84) (i32.const 0xFFFF)))) (func (export "get") (param i32) (result i32) (array.get_u 0 (global.get 0) (local.get 0))) ) ``` This currently crashes in debug builds due to a spurious assertion in the array.set implementation.
Attachments
Add attachment proposed patch, testcase, etc.
Asumu Takikawa
Comment 1 2023-12-11 13:36:26 PST
Pull request: https://github.com/WebKit/WebKit/pull/21650
Asumu Takikawa
Comment 2 2023-12-18 13:11:56 PST
Pull request: https://github.com/WebKit/WebKit/pull/21926
Radar WebKit Bug Importer
Comment 3 2023-12-18 13:13:12 PST
<rdar://problem/119830822>
EWS
Comment 4 2024-01-05 18:13:18 PST
Committed 272719@main (1e4c23e67107): <https://commits.webkit.org/272719@main> Reviewed commits have been landed. Closing PR #21650 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.