From 16b856ec004bbffbfc4a468e6df38a75c3fc97df Mon Sep 17 00:00:00 2001 From: Sergey Rubanov Date: Fri, 13 Nov 2020 21:39:02 +0000 Subject: [PATCH] WebAssembly: opcodes for table.grow and table.size are mixed up https://bugs.webkit.org/show_bug.cgi?id=218644 Patch by Sergey Rubanov on 2020-11-13 Reviewed by Yusuke Suzuki. JSTests: * wasm/stress/table-grow-table-size.js: Added. (async test): * wasm/wasm.json: Source/JavaScriptCore: * wasm/wasm.json: LayoutTests: * workers/wasm-references/test.js: Canonical link: https://commits.webkit.org/231563@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@269790 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- JSTests/ChangeLog | 11 ++++++++++ JSTests/wasm/stress/table-grow-table-size.js | 22 ++++++++++++++++++++ JSTests/wasm/wasm.json | 6 +++--- LayoutTests/ChangeLog | 9 ++++++++ LayoutTests/workers/wasm-references/test.js | 4 ++-- Source/JavaScriptCore/ChangeLog | 9 ++++++++ Source/JavaScriptCore/wasm/wasm.json | 6 +++--- 7 files changed, 59 insertions(+), 8 deletions(-) create mode 100644 JSTests/wasm/stress/table-grow-table-size.js diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog index 1da4e2bd9d89..dec553632a34 100644 --- a/JSTests/ChangeLog +++ b/JSTests/ChangeLog @@ -1,3 +1,14 @@ +2020-11-13 Sergey Rubanov + + WebAssembly: opcodes for table.grow and table.size are mixed up + https://bugs.webkit.org/show_bug.cgi?id=218644 + + Reviewed by Yusuke Suzuki. + + * wasm/stress/table-grow-table-size.js: Added. + (async test): + * wasm/wasm.json: + 2020-11-13 Sergey Rubanov WebAssembly: update wabt.js diff --git a/JSTests/wasm/stress/table-grow-table-size.js b/JSTests/wasm/stress/table-grow-table-size.js new file mode 100644 index 000000000000..dbd6b284b087 --- /dev/null +++ b/JSTests/wasm/stress/table-grow-table-size.js @@ -0,0 +1,22 @@ +//@ requireOptions("--useWebAssemblyReferences=1") +import { instantiate } from "../wabt-wrapper.js"; +import * as assert from "../assert.js"; + +let wat = ` +(module + (table $table 0 externref) + (func (export "size") (result i32) (table.size $table)) + (func (export "grow") (param $sz i32) (result i32) + (table.grow $table (ref.null extern) (local.get $sz)) + ) +) +`; +async function test() { + const instance = await instantiate(wat, {}, {reference_types: true}); + const {size, grow} = instance.exports; + assert.eq(size(), 0); + assert.eq(grow(42), 0); + assert.eq(size(), 42); +} + +assert.asyncTest(test()); diff --git a/JSTests/wasm/wasm.json b/JSTests/wasm/wasm.json index ca74eec1e68c..308ecb9731d3 100644 --- a/JSTests/wasm/wasm.json +++ b/JSTests/wasm/wasm.json @@ -69,9 +69,9 @@ "set_global": { "category": "special", "value": 36, "return": [], "parameter": ["any"], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "write a global variable" }, "table.get": { "category": "special", "value": 37, "return": ["externref"], "parameter": ["i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "get a table value" }, "table.set": { "category": "special", "value": 38, "return": [], "parameter": ["i32", "externref"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "set a table value" }, - "table.size": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": [], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "get the size of a table", "extendedOp": 15 }, - "table.grow": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "grow a table by the given delta and return the previous size, or -1 if enough space cannot be allocated", "extendedOp": 16 }, - "table.fill": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["i32", "externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "fill entries [i,i+n) with the given value", "extendedOp": 17 }, + "table.grow": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "grow a table by the given delta and return the previous size, or -1 if enough space cannot be allocated", "extendedOp": 15 }, + "table.size": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": [], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "get the size of a table", "extendedOp": 16 }, + "table.fill": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["i32", "externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "fill entries [i,i+n) with the given value", "extendedOp": 17 }, "call": { "category": "call", "value": 16, "return": ["call"], "parameter": ["call"], "immediate": [{"name": "function_index", "type": "varuint32"}], "description": "call a function by its index" }, "call_indirect": { "category": "call", "value": 17, "return": ["call"], "parameter": ["call"], "immediate": [{"name": "type_index", "type": "varuint32"}, {"name": "table_index","type": "varuint32"}],"description": "call a function indirect with an expected signature" }, "i32.load8_s": { "category": "memory", "value": 44, "return": ["i32"], "parameter": ["addr"], "immediate": [{"name": "flags", "type": "varuint32"}, {"name": "offset", "type": "varuint32"}], "description": "load from memory" }, diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index a538148532e4..a87c70ab3658 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,12 @@ +2020-11-13 Sergey Rubanov + + WebAssembly: opcodes for table.grow and table.size are mixed up + https://bugs.webkit.org/show_bug.cgi?id=218644 + + Reviewed by Yusuke Suzuki. + + * workers/wasm-references/test.js: + 2020-11-12 Darin Adler Remove unused advanced plug-in features: snapshotting and plug-in load policy diff --git a/LayoutTests/workers/wasm-references/test.js b/LayoutTests/workers/wasm-references/test.js index d4b8c549633d..214a2bdcd580 100644 --- a/LayoutTests/workers/wasm-references/test.js +++ b/LayoutTests/workers/wasm-references/test.js @@ -239,8 +239,8 @@ const WASM_JSON = ` "set_global": { "category": "special", "value": 36, "return": [], "parameter": ["any"], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "write a global variable" }, "table.get": { "category": "special", "value": 37, "return": ["externref"], "parameter": ["i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "get a table value" }, "table.set": { "category": "special", "value": 38, "return": [], "parameter": ["i32", "externref"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "set a table value" }, - "table.size": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": [], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "get the size of a table", "extendedOp": 15 }, - "table.grow": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["externref", "i32"], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "grow a table by the given delta and return the previous size, or -1 if enough space cannot be allocated", "extendedOp": 16 }, + "table.grow": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["externref", "i32"], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "grow a table by the given delta and return the previous size, or -1 if enough space cannot be allocated", "extendedOp": 15 }, + "table.size": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": [], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "get the size of a table", "extendedOp": 16 }, "table.fill": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["i32", "externref", "i32"], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "fill entries [i,i+n) with the given value", "extendedOp": 17 }, "call": { "category": "call", "value": 16, "return": ["call"], "parameter": ["call"], "immediate": [{"name": "function_index", "type": "varuint32"}], "description": "call a function by its index" }, "call_indirect": { "category": "call", "value": 17, "return": ["call"], "parameter": ["call"], "immediate": [{"name": "type_index", "type": "varuint32"}, {"name": "table_index","type": "varuint32"}],"description": "call a function indirect with an expected signature" }, diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 726194771392..6f0aab320c72 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,12 @@ +2020-11-13 Sergey Rubanov + + WebAssembly: opcodes for table.grow and table.size are mixed up + https://bugs.webkit.org/show_bug.cgi?id=218644 + + Reviewed by Yusuke Suzuki. + + * wasm/wasm.json: + 2020-11-12 Devin Rousso Web Inspector: ensure that `JSON::ArrayOf` doesn't allow `addItem` to be called with a type other than `T` diff --git a/Source/JavaScriptCore/wasm/wasm.json b/Source/JavaScriptCore/wasm/wasm.json index ca74eec1e68c..308ecb9731d3 100644 --- a/Source/JavaScriptCore/wasm/wasm.json +++ b/Source/JavaScriptCore/wasm/wasm.json @@ -69,9 +69,9 @@ "set_global": { "category": "special", "value": 36, "return": [], "parameter": ["any"], "immediate": [{"name": "global_index", "type": "varuint32"}], "description": "write a global variable" }, "table.get": { "category": "special", "value": 37, "return": ["externref"], "parameter": ["i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "get a table value" }, "table.set": { "category": "special", "value": 38, "return": [], "parameter": ["i32", "externref"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "set a table value" }, - "table.size": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": [], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "get the size of a table", "extendedOp": 15 }, - "table.grow": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "grow a table by the given delta and return the previous size, or -1 if enough space cannot be allocated", "extendedOp": 16 }, - "table.fill": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["i32", "externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "fill entries [i,i+n) with the given value", "extendedOp": 17 }, + "table.grow": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "grow a table by the given delta and return the previous size, or -1 if enough space cannot be allocated", "extendedOp": 15 }, + "table.size": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": [], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "get the size of a table", "extendedOp": 16 }, + "table.fill": { "category": "exttable", "value": 252, "return": ["i32"], "parameter": ["i32", "externref", "i32"], "immediate": [{"name": "table_index", "type": "varuint32"}], "description": "fill entries [i,i+n) with the given value", "extendedOp": 17 }, "call": { "category": "call", "value": 16, "return": ["call"], "parameter": ["call"], "immediate": [{"name": "function_index", "type": "varuint32"}], "description": "call a function by its index" }, "call_indirect": { "category": "call", "value": 17, "return": ["call"], "parameter": ["call"], "immediate": [{"name": "type_index", "type": "varuint32"}, {"name": "table_index","type": "varuint32"}],"description": "call a function indirect with an expected signature" }, "i32.load8_s": { "category": "memory", "value": 44, "return": ["i32"], "parameter": ["addr"], "immediate": [{"name": "flags", "type": "varuint32"}, {"name": "offset", "type": "varuint32"}], "description": "load from memory" },