Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d612721aa438aac866eb2a46fd95bf866dc5bdb8
https://github.com/WebKit/WebKit/commit/d612721aa438aac866eb2a46fd95bf866dc5bdb8
Author: Keith Miller <keith_mil...@apple.com>
Date: 2024-09-10 (Tue, 10 Sep 2024)
Changed paths:
M JSTests/wasm/function-references/ref_types.js
M JSTests/wasm/gc/arrays.js
M JSTests/wasm/gc/i31.js
M JSTests/wasm/gc/js-api.js
M JSTests/wasm/gc/structs.js
M JSTests/wasm/references/table_js_api.js
A JSTests/wasm/regress/js-table-bad-set-type.js
M JSTests/wasm/v8/js-api.js
M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
M Source/JavaScriptCore/wasm/WasmTable.cpp
M Source/JavaScriptCore/wasm/WasmTable.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h
M Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp
M Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h
M Source/JavaScriptCore/wasm/js/WebAssemblyExceptionConstructor.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
M Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h
M Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp
Log Message:
-----------
WebAssembly.Table prototype functions need to do subtype checks
https://bugs.webkit.org/show_bug.cgi?id=279444
rdar://134785807
Reviewed by Yusuke Suzuki.
Table.prototype.set/grow don't check that the value they are inserting into the
table is actually a subtype of the
funcref table's actual type. This patch fixes that. I also moved some of the
verification logic into the table itself
rather than in the prototype function. This seems like a better abstraction
since the checks are now done by the table
instead of any caller.
Also, convert a bunch of the RELEASE_ASSERTs into ASSERTs since they're
unlikely be hit in practice at this point and
some of them e.g. isSubtype, could be reasonably expensive to do at runtime.
* JSTests/wasm/function-references/ref_types.js:
(async testRefTypesInTables):
* JSTests/wasm/gc/arrays.js:
* JSTests/wasm/gc/i31.js:
(testI31Table):
* JSTests/wasm/gc/js-api.js:
* JSTests/wasm/gc/structs.js:
* JSTests/wasm/references/table_js_api.js:
(async testTableGrowForFuncrefTables):
(async testTableSetForFuncrefTables):
* JSTests/wasm/regress/js-table-bad-set-type.js: Added.
(async test):
* JSTests/wasm/v8/js-api.js:
* Source/JavaScriptCore/wasm/WasmOperationsInlines.h:
(JSC::Wasm::tableSet):
* Source/JavaScriptCore/wasm/WasmTable.cpp:
(JSC::Wasm::Table::copy):
(JSC::Wasm::Table::clear):
(JSC::Wasm::Table::set):
(JSC::Wasm::Table::get const):
(JSC::Wasm::FuncRefTable::setFunction):
(JSC::Wasm::FuncRefTable::copyFunction):
(JSC::Wasm::FuncRefTable::clear):
(JSC::Wasm::FuncRefTable::set):
* Source/JavaScriptCore/wasm/WasmTable.h:
* Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h:
(JSC::toWebAssemblyValue):
(JSC::fromJSValue): Deleted.
* Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::get):
(JSC::JSWebAssemblyTable::set):
(JSC::JSWebAssemblyTable::clear):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyExceptionConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h:
(JSC::WebAssemblyFunctionBase::type const):
* Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Canonical link: https://commits.webkit.org/283434@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
