Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 96c9f5ec6fc9e67ab774134d40d1f22f7e47dad1
https://github.com/WebKit/WebKit/commit/96c9f5ec6fc9e67ab774134d40d1f22f7e47dad1
Author: Ruthvik Konda <[email protected]>
Date: 2026-03-12 (Thu, 12 Mar 2026)
Changed paths:
A LayoutTests/fast/webgpu/nocrash/fuzz-172084012-expected.txt
A LayoutTests/fast/webgpu/nocrash/fuzz-172084012.html
M Source/WebGPU/WGSL/GlobalVariableRewriter.cpp
M Source/WebGPU/WGSL/WGSL.cpp
Log Message:
-----------
[WGSL] Override validation crashes when expression is wrapped in __pack by
GlobalVariableRewriter
https://bugs.webkit.org/show_bug.cgi?id=309752
rdar://172084012
Reviewed by Tadeu Zagallo.
Set `resolvedTarget` on `__pack`/`__unpack` wrapper `CallExpression`s
created by `GlobalVariableRewriter::pack()`, and guard the struct
constructor path in `evaluate()` behind a null `resolvedTarget` check.
`pack()` registers an override validation lambda that captures
`&expression` by reference. When `visitAndReplace` subsequently wraps
the expression in `__pack(...)` (because the assignment target is a
packed storage buffer), the lambda's reference points to the wrapper
instead of the original. The `__pack` wrapper has null
`resolvedTarget()` and the same struct `inferredType()` as the
original, so `evaluate()` mistakenly enters the struct constructor
path, creating a nested `ConstantStruct` that crashes in
`convertValueImpl`.
* LayoutTests/fast/webgpu/nocrash/fuzz-172084012-expected.txt: Added.
* LayoutTests/fast/webgpu/nocrash/fuzz-172084012.html: Added.
* Source/WebGPU/WGSL/GlobalVariableRewriter.cpp:
(WGSL::RewriteGlobalVariables::pack):
* Source/WebGPU/WGSL/WGSL.cpp:
(WGSL::evaluate):
Canonical link: https://commits.webkit.org/309156@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
