[JSC] Grown region of WasmTable should be initialized with null
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 16 Jun 2019 22:06:29 +0000 (22:06 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 16 Jun 2019 22:06:29 +0000 (22:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=198903

Reviewed by Saam Barati.

JSTests:

* wasm/stress/wasm-table-grow-initialize.js: Added.
(shouldBe):

Source/JavaScriptCore:

Grown region of Wasmtable is now empty. We should initialize it with null.
We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to
align to the naming convention.

* wasm/WasmTable.cpp:
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::visitAggregate):
(JSC::Wasm::Table::visitChildren): Deleted.
* wasm/WasmTable.h:
* wasm/js/JSWebAssemblyTable.cpp:
(JSC::JSWebAssemblyTable::visitChildren):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246487 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/wasm/stress/wasm-table-grow-initialize.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/wasm/WasmTable.cpp
Source/JavaScriptCore/wasm/WasmTable.h
Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp

index c64efc7..ffc1cad 100644 (file)
@@ -1,3 +1,13 @@
+2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Grown region of WasmTable should be initialized with null
+        https://bugs.webkit.org/show_bug.cgi?id=198903
+
+        Reviewed by Saam Barati.
+
+        * wasm/stress/wasm-table-grow-initialize.js: Added.
+        (shouldBe):
+
 2019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
 
         Yarr bytecode compilation failure should be gracefully handled
diff --git a/JSTests/wasm/stress/wasm-table-grow-initialize.js b/JSTests/wasm/stress/wasm-table-grow-initialize.js
new file mode 100644 (file)
index 0000000..255635c
--- /dev/null
@@ -0,0 +1,13 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var table = new WebAssembly.Table({
+    element: "anyfunc",
+    initial: 20
+});
+
+table.grow(5)
+for (var i = 0; i < 25; ++i)
+    shouldBe(table.get(i), null);
index b69160b..1326e3a 100644 (file)
@@ -1,3 +1,22 @@
+2019-06-16  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Grown region of WasmTable should be initialized with null
+        https://bugs.webkit.org/show_bug.cgi?id=198903
+
+        Reviewed by Saam Barati.
+
+        Grown region of Wasmtable is now empty. We should initialize it with null.
+        We also rename Wasm::Table::visitChildren to Wasm::Table::visitAggregate to
+        align to the naming convention.
+
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::visitAggregate):
+        (JSC::Wasm::Table::visitChildren): Deleted.
+        * wasm/WasmTable.h:
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::visitChildren):
+
 2019-06-14  Keith Miller  <keith_miller@apple.com>
 
         Restore PAC based cage.
index 1331346..b54645c 100644 (file)
@@ -100,7 +100,7 @@ Optional<uint32_t> Table::grow(uint32_t delta)
     if (!isValidLength(newLength))
         return WTF::nullopt;
 
-    auto checkedGrow = [&] (auto& container) {
+    auto checkedGrow = [&] (auto& container, auto initializer) {
         if (newLengthChecked.unsafeGet() > allocatedLength(m_length)) {
             Checked reallocSizeChecked = allocatedLength(newLengthChecked.unsafeGet());
             reallocSizeChecked *= sizeof(*container.get());
@@ -110,19 +110,21 @@ Optional<uint32_t> Table::grow(uint32_t delta)
             // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
             container.realloc(reallocSize);
         }
-        for (uint32_t i = m_length; i < allocatedLength(newLength); ++i)
+        for (uint32_t i = m_length; i < allocatedLength(newLength); ++i) {
             new (&container.get()[i]) std::remove_reference_t<decltype(*container.get())>();
+            initializer(container.get()[i]);
+        }
         return true;
     };
 
     if (auto* funcRefTable = asFuncrefTable()) {
-        if (!checkedGrow(funcRefTable->m_importableFunctions))
+        if (!checkedGrow(funcRefTable->m_importableFunctions, [] (auto&) { }))
             return WTF::nullopt;
-        if (!checkedGrow(funcRefTable->m_instances))
+        if (!checkedGrow(funcRefTable->m_instances, [] (auto&) { }))
             return WTF::nullopt;
     }
 
-    if (!checkedGrow(m_jsValues))
+    if (!checkedGrow(m_jsValues, [] (WriteBarrier<Unknown>& slot) { slot.setStartingValue(jsNull()); }))
         return WTF::nullopt;
 
     setLength(newLength);
@@ -157,7 +159,7 @@ JSValue Table::get(uint32_t index) const
     return m_jsValues.get()[index & m_mask].get();
 }
 
-void Table::visitChildren(SlotVisitor& visitor)
+void Table::visitAggregate(SlotVisitor& visitor)
 {
     RELEASE_ASSERT(m_owner);
     auto locker = holdLock(m_owner->cellLock());
index 4d57d41..b1e2b5d 100644 (file)
@@ -76,7 +76,7 @@ public:
 
     Optional<uint32_t> grow(uint32_t delta);
 
-    void visitChildren(SlotVisitor&);
+    void visitAggregate(SlotVisitor&);
 
 protected:
     Table(uint32_t initial, Optional<uint32_t> maximum, TableElementType = TableElementType::Anyref);
index e441d0f..c709230 100644 (file)
@@ -80,7 +80,7 @@ void JSWebAssemblyTable::visitChildren(JSCell* cell, SlotVisitor& visitor)
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
     Base::visitChildren(thisObject, visitor);
-    thisObject->table()->visitChildren(visitor);
+    thisObject->table()->visitAggregate(visitor);
 }
 
 bool JSWebAssemblyTable::grow(uint32_t delta)