1482365 - Crashing testcase in compiled code with anyref

Status: RESOLVED FIXED

(Core :: JavaScript: WebAssembly, defect)

Description

[Benjamin Bouvier [:bbouvier] (inactive)]

On x64:

exports = wasmEvalText(`(module
    (global (mut anyref) (ref.null anyref))
    (func (export "f")
        get_global 0
        ref.null anyref
        set_global 0
        set_global 0
    )
)`).exports;

exports.f();

Comment 1

[Benjamin Bouvier [:bbouvier] (inactive)]

Attachment: fix.patch

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8999145 [details] [diff] [review]
fix.patch

Review of attachment 8999145 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/wasm/WasmBaselineCompile.cpp
@@ +5670,5 @@
>      void emitPostBarrier(const Maybe<RegPtr>& object, RegPtr otherScratch, RegPtr valueAddr, RegPtr setValue) {
>          Label skipBarrier;
>  
> +        // One of the branch (in case we need the C++ call) will cause a sync,
> +        // so ensure the stack is sync'd before, so as the join is sync'd too.

oh my god, me can't speak English.

branch => branches
so as => so that

Comment 3

[Lars T Hansen [:lth]]

Comment on attachment 8999145 [details] [diff] [review]
fix.patch

Review of attachment 8999145 [details] [diff] [review]:
-----------------------------------------------------------------

OK.  This footgun is super annoying, I'm thinking of maybe requiring some AutoThing to be passed to emitInstanceCall to at least flag it.  "AutoDidYouRememberToSyncAlongAllBranches", maybe.

Comment 4

[Pulsebot]

Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/e574b6c899c1
Sync stack before branching in wasm baseline compiler's emitSetGlobal; r=lth

Comment 5

[Narcis Beleuzu [:NarcisB]]

https://hg.mozilla.org/mozilla-central/rev/e574b6c899c1