NaNs read from Wasm code needs to be be purified.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Nov 2018 20:06:30 +0000 (20:06 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Nov 2018 20:06:30 +0000 (20:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=191056
<rdar://problem/45660341>

Reviewed by Filip Pizlo.

JSTests:

* wasm/regress/regress-191056.js: Added.

Source/JavaScriptCore:

* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::WebAssemblyModuleRecord::link):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238509 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/wasm/regress/regress-191056.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

index 6e35377..6a0e763 100644 (file)
@@ -1,3 +1,13 @@
+2018-11-26  Mark Lam  <mark.lam@apple.com>
+
+        NaNs read from Wasm code needs to be be purified.
+        https://bugs.webkit.org/show_bug.cgi?id=191056
+        <rdar://problem/45660341>
+
+        Reviewed by Filip Pizlo.
+
+        * wasm/regress/regress-191056.js: Added.
+
 2018-11-26  Michael Saboff  <msaboff@apple.com>
 
         32-bit JSC test failure: stress/regexp-compile-oom.js
diff --git a/JSTests/wasm/regress/regress-191056.js b/JSTests/wasm/regress/regress-191056.js
new file mode 100644 (file)
index 0000000..d9bd772
--- /dev/null
@@ -0,0 +1,15 @@
+var importObject = {
+    env: {
+        print_number: function (number) {
+            print('[+] importObject callback.');
+            print(number);
+        }
+    }
+};
+var wasmCode = new Uint8Array([0x0,0x61,0x73,0x6d,0x1,0x0,0x0,0x0,0x1,0x7,0x1,0x60,0x2,0x7e,0x7f,0x1,0x7f,0x3,0x2,0x1,0x0,0x4,0x4,0x1,0x70,0x0,0x4,0x6,0x2e,0x5,0x7f,0x0,0x41,0x2a,0xb,0x7d,0x0,0x43,0x74,0x0,0x0,0x4d,0xb,0x7c,0x0    ,0x44,0x83,0x88,0x88,0x00,0x0,0x0,0xff,0xff,0xb,0x7d,0x0,0x43,0x0,0x0,0x9,0x7f,0xb,0x7c,0x0,0x44,0x0,0x3c,0x0,0x0,0x0,0x0,0xf8,0x7f,0xb,0x7,0x40,0x7,0x5,0x74,0x61,0x62,0x3f,0x45,0x1,0x0,0x3,0x7d,0x75,0x6d,0x0,0x0,0x6,0x61,0x3d,    0x22,0x0,0xd,0x72,0x3,0x0,0x7,0x4f,0x7c,0x68,0x77,0x65,0x20,0x31,0x3,0x1,0x7,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x3,0x2,0x7,0x61,0x6e,0x73,0x77,0x65,0x72,0x3c,0x3,0x3,0x7,0x61,0x6e,0x73,0x77,0x65,0x72,0x34,0x3,0x4,0x9,0x7,0x1,0x0,0x41,0x0,0xb,0x1,0x0,0xa,0x9,0x1,0x7,0x0,0x20,0x1,0x0,0x1,0x0,0xb,]);
+var wasmModule = new WebAssembly.Module(wasmCode);
+var wasmInstance = new WebAssembly.Instance(wasmModule, importObject);
+
+var res = wasmInstance.exports.AAAAAAA;
+res = res + 'string';
+
index f633094..418f48b 100644 (file)
@@ -1,3 +1,14 @@
+2018-11-26  Mark Lam  <mark.lam@apple.com>
+
+        NaNs read from Wasm code needs to be be purified.
+        https://bugs.webkit.org/show_bug.cgi?id=191056
+        <rdar://problem/45660341>
+
+        Reviewed by Filip Pizlo.
+
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+
 2018-11-26  Tadeu Zagallo  <tzagallo@apple.com>
 
         ASSERTION FAILED: m_outOfLineJumpTargets.contains(bytecodeOffset)
index 39a66fa..ec3c497 100644 (file)
@@ -388,11 +388,11 @@ void WebAssemblyModuleRecord::link(ExecState* exec, JSValue, JSObject* importObj
                 return;
 
             case Wasm::F32:
-                exportedValue = JSValue(m_instance->instance().loadF32Global(exp.kindIndex));
+                exportedValue = jsNumber(purifyNaN(m_instance->instance().loadF32Global(exp.kindIndex)));
                 break;
 
             case Wasm::F64:
-                exportedValue = JSValue(m_instance->instance().loadF64Global(exp.kindIndex));
+                exportedValue = jsNumber(purifyNaN(m_instance->instance().loadF64Global(exp.kindIndex)));
                 break;
 
             default: