WebAssembly: Fix issue with BrTable targeting a Loop
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 8 Apr 2017 05:30:47 +0000 (05:30 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 8 Apr 2017 05:30:47 +0000 (05:30 +0000)
https://bugs.webkit.org/show_bug.cgi?id=170638

Reviewed by Saam Barati.

This fixes the same issue V8 had in: https://github.com/WebAssembly/spec/pull/456#event-1033547537

* wasm/WasmValidate.cpp:
(JSC::Wasm::Validate::ControlData::branchTargetSignature):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215141 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/wasm/WasmValidate.cpp

index 8e3b22e..88671c1 100644 (file)
@@ -1,5 +1,17 @@
 2017-04-07  Keith Miller  <keith_miller@apple.com>
 
+        WebAssembly: Fix issue with BrTable targeting a Loop
+        https://bugs.webkit.org/show_bug.cgi?id=170638
+
+        Reviewed by Saam Barati.
+
+        This fixes the same issue V8 had in: https://github.com/WebAssembly/spec/pull/456#event-1033547537
+
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::ControlData::branchTargetSignature):
+
+2017-04-07  Keith Miller  <keith_miller@apple.com>
+
         Add a PriorityQueue class
         https://bugs.webkit.org/show_bug.cgi?id=170579
 
index d949819..dd283ea 100644 (file)
@@ -71,6 +71,7 @@ public:
 
         BlockType type() const { return m_blockType; }
         Type signature() const { return m_signature; }
+        Type branchTargetSignature() const { return type() == BlockType::Loop ? Void : signature(); }
     private:
         BlockType m_blockType;
         Type m_signature;
@@ -265,18 +266,15 @@ auto Validate::addReturn(ControlType& topLevel, const ExpressionList& returnValu
 }
 
 auto Validate::checkBranchTarget(ControlType& target, const ExpressionList& expressionStack) -> Result
-    {
-        if (target.type() == BlockType::Loop)
-            return { };
-
-        if (target.signature() == Void)
-            return { };
+{
+    if (target.branchTargetSignature() == Void)
+        return { };
 
-        WASM_VALIDATOR_FAIL_IF(expressionStack.isEmpty(), target.type() == BlockType::TopLevel ? "branch out of function" : "branch to block", " on empty expression stack, but expected ", target.signature());
-        WASM_VALIDATOR_FAIL_IF(target.signature() != expressionStack.last(), "branch's stack type doesn't match block's type");
+    WASM_VALIDATOR_FAIL_IF(expressionStack.isEmpty(), target.type() == BlockType::TopLevel ? "branch out of function" : "branch to block", " on empty expression stack, but expected ", target.signature());
+    WASM_VALIDATOR_FAIL_IF(target.branchTargetSignature() != expressionStack.last(), "branch's stack type doesn't match block's type");
 
-        return { };
-    }
+    return { };
+}
 
 auto Validate::addBranch(ControlType& target, ExpressionType condition, const ExpressionList& stack) -> Result
 {
@@ -290,7 +288,7 @@ auto Validate::addSwitch(ExpressionType condition, const Vector<ControlData*>& t
     WASM_VALIDATOR_FAIL_IF(condition != I32, "br_table with non-i32 condition ", condition);
 
     for (auto target : targets)
-        WASM_VALIDATOR_FAIL_IF(defaultTarget.signature() != target->signature(), "br_table target type mismatch");
+        WASM_VALIDATOR_FAIL_IF(defaultTarget.branchTargetSignature() != target->branchTargetSignature(), "br_table target type mismatch");
 
     return checkBranchTarget(defaultTarget, expressionStack);
 }