Context Navigation

← Previous Changeset
Next Changeset →

Changeset 293252 in webkit

Timestamp:

Apr 22, 2022 1:58:51 PM (3 months ago)

Author:

commit-queue@webkit.org

Message:

[JSC]Throw consistent exceptions for memory.init and memory.copy
https://bugs.webkit.org/show_bug.cgi?id=239592

Patch by Geza Lore <Geza Lore> on 2022-04-22
Reviewed by Yusuke Suzuki.

For a trapping Wasm memory.init and memory.copy instruction, the LLInt
used to throw OutOfBoundsMemoryAccess, but BBQ/OMG used to throw
OutOfBoundsTableAccess.

Changed BBQ/OMG to throw OutOfBoundsMemoryAccess as well.

wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::addMemoryCopy):
(JSC::Wasm::AirIRGenerator::addMemoryInit):

wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::addMemoryInit):
(JSC::Wasm::B3IRGenerator::addMemoryCopy):

Location:

trunk/Source/JavaScriptCore

Files:

: 3 edited

ChangeLog (modified) (1 diff)
wasm/WasmAirIRGenerator.cpp (modified) (2 diffs)
wasm/WasmB3IRGenerator.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-                      r293220
+                      r293252
+-04-22  Geza Lore  <glore@igalia.com>
+        [JSC]Throw consistent exceptions for memory.init and memory.copy
+        https://bugs.webkit.org/show_bug.cgi?id=239592
+        Reviewed by Yusuke Suzuki.
+        For a trapping Wasm memory.init and memory.copy instruction, the LLInt
+        used to throw OutOfBoundsMemoryAccess, but BBQ/OMG used to throw
+        OutOfBoundsTableAccess.
+        Changed BBQ/OMG to throw OutOfBoundsMemoryAccess as well.
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addMemoryCopy):
+        (JSC::Wasm::AirIRGenerator::addMemoryInit):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addMemoryInit):
+        (JSC::Wasm::B3IRGenerator::addMemoryCopy):
 -04-22  Mark Lam  <mark.lam@apple.com>

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

-                      r292773
+                      r293252
         return Inst(BranchTest32, nullptr, Arg::resCond(MacroAssembler::Zero), result, result);
     }, [=, this] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
         this->emitThrowException(jit, ExceptionType::OutOfBoundsTableAccess);
+        this->emitThrowException(jit, ExceptionType::OutOfBoundsMemoryAccess);
     });
 …
         return Inst(BranchTest32, nullptr, Arg::resCond(MacroAssembler::Zero), result, result);
     }, [=, this] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
         this->emitThrowException(jit, ExceptionType::OutOfBoundsTableAccess);
+        this->emitThrowException(jit, ExceptionType::OutOfBoundsMemoryAccess);
     });

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

-                      r292773
+                      r293252
         check->setGenerator([=, this] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
             this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsTableAccess);
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsMemoryAccess);
         });
+    }
 …
         check->setGenerator([=, this] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
             this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsTableAccess);
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsMemoryAccess);
         });
+    }

Note: See TracChangeset for help on using the changeset viewer.