Call to JSToWasmICCallee::createStructure passes in wrong prototype value
https://bugs.webkit.org/show_bug.cgi?id=197807
<rdar://problem/50530400>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/js-to-wasm-callee-has-correct-prototype.js: Added.
(test.getInstance):
(test):
Source/JavaScriptCore:
We were passing the empty value instead of null. However, the empty
value means the Structure is poly proto. That's definitely not the case
here.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@245203 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 6fdd0a6..2c83cfc 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,15 @@
+2019-05-10 Saam barati <sbarati@apple.com>
+
+ Call to JSToWasmICCallee::createStructure passes in wrong prototype value
+ https://bugs.webkit.org/show_bug.cgi?id=197807
+ <rdar://problem/50530400>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/js-to-wasm-callee-has-correct-prototype.js: Added.
+ (test.getInstance):
+ (test):
+
2019-05-10 Ross Kirsling <ross.kirsling@sony.com>
[Test262] Unreviewed expectations update following r245188.
diff --git a/JSTests/stress/js-to-wasm-callee-has-correct-prototype.js b/JSTests/stress/js-to-wasm-callee-has-correct-prototype.js
new file mode 100644
index 0000000..afba6a8
--- /dev/null
+++ b/JSTests/stress/js-to-wasm-callee-has-correct-prototype.js
@@ -0,0 +1,22 @@
+//@ runDefault("--jitPolicyScale=0", "--useSamplingProfiler=1")
+
+function test() {
+ function getInstance(bytes) {
+ let u8 = Uint8Array.from(bytes, x=>x.charCodeAt(0));
+ let module = new WebAssembly.Module(u8.buffer);
+ return new WebAssembly.Instance(module);
+ }
+
+ let webAsm = getInstance('\0asm\x01\0\0\0\x01\x8E\x80\x80\x80\0\x03`\0\x01\x7F`\0\x01\x7F`\x01\x7F\x01\x7F\x03\x88\x80\x80\x80\0\x07\0\0\0\x01\x01\x02\x02\x04\x85\x80\x80\x80\0\x01p\x01\x07\x07\x07\x91\x80\x80\x80\0\x02\x05callt\0\x05\x05callu\0\x06\t\x8D\x80\x80\x80\0\x01\0A\0\x0B\x07\0\x01\x02\x03\x04\0\x02\nÆ\x80\x80\x80\0\x07\x84\x80\x80\x80\0\0A\x01\x0B\x84\x80\x80\x80\0\0A\x02\x0B\x84\x80\x80\x80\0\0A\x03\x0B\x84\x80\x80\x80\0\0A\x04\x0B\x84\x80\x80\x80\0\0A\x05\x0B\x87\x80\x80\x80\0\0 \0\x11\0\0\x0B\x87\x80\x80\x80\0\0 \0\x11\x01\0\x0B');
+
+ for (let j = 0; j < 1000; j++) {
+ try {
+ webAsm.exports.callt(-1);
+ } catch(e) {}
+ }
+
+ samplingProfilerStackTraces();
+}
+
+if (this.WebAssembly)
+ test();
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 66f5412..b3ecb66 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2019-05-10 Saam barati <sbarati@apple.com>
+
+ Call to JSToWasmICCallee::createStructure passes in wrong prototype value
+ https://bugs.webkit.org/show_bug.cgi?id=197807
+ <rdar://problem/50530400>
+
+ Reviewed by Yusuke Suzuki.
+
+ We were passing the empty value instead of null. However, the empty
+ value means the Structure is poly proto. That's definitely not the case
+ here.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+
2019-05-10 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] String substring operation should return ropes consistently
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
index 64d468e..d2aab78 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
@@ -1062,7 +1062,7 @@
});
m_jsToWasmICCalleeStructure.initLater(
[] (const Initializer<Structure>& init) {
- init.set(JSToWasmICCallee::createStructure(init.vm, init.owner, JSValue()));
+ init.set(JSToWasmICCallee::createStructure(init.vm, init.owner, jsNull()));
});
m_webAssemblyWrapperFunctionStructure.initLater(
[] (const Initializer<Structure>& init) {
