[JSC] wasm atomic wait offset is not index

https://bugs.webkit.org/show_bug.cgi?id=223159 Reviewed by Mark Lam. JSTests: * wasm.yaml: * wasm/threads-spec-tests/resources/wait-large.wast: Added. * wasm/threads-spec-tests/wait-large.wast.js: Added. Source/JavaScriptCore: While JS Atomics.wait's argument is "index" in the typed-array, argument of wasm wait and notify is address. But we are handling it as an index incorrectly. This patch uses it as an address. * wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): Canonical link: https://commits.webkit.org/235266@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@274399 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Mar 14, 2021 · b0346165f025511bab8aa2eaedfb95e19b3c803c · b034616
1 parent a3566e7
commit b0346165f025511bab8aa2eaedfb95e19b3c803c
Showing 6 changed files with 61 additions and 2 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,14 @@
+2021-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] wasm atomic wait offset is not index
+        https://bugs.webkit.org/show_bug.cgi?id=223159
+
+        Reviewed by Mark Lam.
+
+        * wasm.yaml:
+        * wasm/threads-spec-tests/resources/wait-large.wast: Added.
+        * wasm/threads-spec-tests/wait-large.wast.js: Added.
+
 2021-03-11  Tadeu Zagallo  <tzagallo@apple.com>
 
         AI validator patchpoint should read heap top

diff --git a/JSTests/wasm.yaml b/JSTests/wasm.yaml
@@ -130,6 +130,8 @@
   cmd: runWebAssemblySpecTest :normal
 - path: wasm/threads-spec-tests/atomic-signed.wast.js
   cmd: runWebAssemblySpecTest :normal
+- path: wasm/threads-spec-tests/wait-large.wast.js
+  cmd: runWebAssemblySpecTest :normal
 
 - path: wasm/spec-tests/address.wast.js
   cmd: runWebAssemblySpecTest :normal

diff --git a/JSTests/wasm/threads-spec-tests/resources/wait-large.wast b/JSTests/wasm/threads-spec-tests/resources/wait-large.wast
@@ -0,0 +1,17 @@
+(module
+  (memory 8192 8192 shared)
+
+  (func (export "init") (param $value i64) (i64.store (i32.const 134217720) (local.get $value)))
+
+  (func (export "memory.atomic.notify") (param $addr i32) (param $count i32) (result i32)
+      (memory.atomic.notify (local.get 0) (local.get 1)))
+  (func (export "memory.atomic.wait32") (param $addr i32) (param $expected i32) (param $timeout i64) (result i32)
+      (memory.atomic.wait32 (local.get 0) (local.get 1) (local.get 2)))
+  (func (export "memory.atomic.wait64") (param $addr i32) (param $expected i64) (param $timeout i64) (result i32)
+      (memory.atomic.wait64 (local.get 0) (local.get 1) (local.get 2)))
+)
+
+(invoke "init" (i64.const 0xffffffffffff))
+(assert_return (invoke "memory.atomic.wait32" (i32.const 134217720) (i32.const 0) (i64.const 0)) (i32.const 1))
+(assert_return (invoke "memory.atomic.wait64" (i32.const 134217720) (i64.const 0) (i64.const 0)) (i32.const 1))
+(assert_return (invoke "memory.atomic.notify" (i32.const 134217720) (i32.const 0)) (i32.const 0))
diff --git a/JSTests/wasm/threads-spec-tests/wait-large.wast.js b/JSTests/wasm/threads-spec-tests/wait-large.wast.js
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2021-03-14  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] wasm atomic wait offset is not index
+        https://bugs.webkit.org/show_bug.cgi?id=223159
+
+        Reviewed by Mark Lam.
+
+        While JS Atomics.wait's argument is "index" in the typed-array, argument of wasm wait and notify is address.
+        But we are handling it as an index incorrectly.
+        This patch uses it as an address.
+
+        * wasm/WasmOperations.cpp:
+        (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
+
 2021-03-13  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, reverting r274379.

diff --git a/Source/JavaScriptCore/wasm/WasmOperations.cpp b/Source/JavaScriptCore/wasm/WasmOperations.cpp
@@ -866,7 +866,7 @@ JSC_DEFINE_JIT_OPERATION(operationMemoryAtomicWait32, int32_t, (Instance* instan
         return -1;
     if (!vm.m_typedArrayController->isAtomicsWaitAllowedOnCurrentThread())
         return -1;
-    uint32_t* pointer = bitwise_cast<uint32_t*>(instance->memory()->memory()) + offsetInMemory;
+    uint32_t* pointer = bitwise_cast<uint32_t*>(bitwise_cast<uint8_t*>(instance->memory()->memory()) + offsetInMemory);
     return wait<uint32_t>(vm, pointer, value, timeoutInNanoseconds);
 }
 
@@ -884,7 +884,7 @@ JSC_DEFINE_JIT_OPERATION(operationMemoryAtomicWait64, int32_t, (Instance* instan
         return -1;
     if (!vm.m_typedArrayController->isAtomicsWaitAllowedOnCurrentThread())
         return -1;
-    uint64_t* pointer = bitwise_cast<uint64_t*>(instance->memory()->memory()) + offsetInMemory;
+    uint64_t* pointer = bitwise_cast<uint64_t*>(bitwise_cast<uint8_t*>(instance->memory()->memory()) + offsetInMemory);
     return wait<uint64_t>(vm, pointer, value, timeoutInNanoseconds);
 }