The Wasm JS string builtin 'equals' does not accept 'null' arguments
Categories
(Core :: JavaScript: WebAssembly, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox133 | --- | fixed |
People
(Reporter: sjrdoeraene, Assigned: rhunt)
References
(Blocks 2 open bugs)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Steps to reproduce:
Either unzip the attached bug.zip file to a directory, or recreate the files as follows:
index.html:
<html>
<head>
<title>Bug</title>
</head>
<body>
<script type=module src="./bug.js"></script>
</body>
</html>
bug.js
const options = {
builtins: ["js-string"],
};
const instantiated = await WebAssembly.instantiateStreaming(
fetch("./bug.wasm"), {}, options
);
const instance = instantiated.instance;
console.log(instance);
const { equalsBridge } = instance.exports;
function test(f) {
try {
console.log(f());
} catch (e) {
console.log(e);
}
}
test(() => equalsBridge("foobar", "foobar")); // 1, OK
test(() => equalsBridge("foobar", "barfoo")); // 0, OK
test(() => equalsBridge("foobar", null)); // bad cast, should be 0
test(() => equalsBridge(null, "foobar")); // bad cast, should be 0
test(() => equalsBridge(null, null)); // bad cast, should be 1
bug.wat
(module
(type $equalsType (func (param externref) (param externref) (result i32)))
(import "wasm:js-string" "equals" (func $equals (type $equalsType)))
(func (export "equalsBridge") (param $a externref) (param $b externref) (result i32)
local.get $a
local.get $b
call $equals))
and compile to bug.wasm.
Then
- In Firefox's
about:configpage, turn on the optionjavascript.options.wasm_js_string_builtins - Start a local web server in the given directory (e.g., with
npx http-server) - Open
http://127.0.0.1:8080/(or another appropriate URL depending on the web server used) - Open the console
- Observe results
Actual results:
The following output is logged:
1 bug.js:13:13
0 bug.js:13:13
RuntimeError: bad cast
<anonymous> http://127.0.0.1:8080/bug.js:21
test http://127.0.0.1:8080/bug.js:13
<anonymous> http://127.0.0.1:8080/bug.js:21
bug.js:15:13
RuntimeError: bad cast
<anonymous> http://127.0.0.1:8080/bug.js:22
test http://127.0.0.1:8080/bug.js:13
<anonymous> http://127.0.0.1:8080/bug.js:22
bug.js:15:13
RuntimeError: bad cast
<anonymous> http://127.0.0.1:8080/bug.js:23
test http://127.0.0.1:8080/bug.js:13
<anonymous> http://127.0.0.1:8080/bug.js:23
bug.js:15:13
The 3 exceptions are incorrect. equals is supposed to accept null arguments.
Expected results:
1
0
0
0
1
Indeed, the spec of the JS string builtin for equals (https://github.com/WebAssembly/js-string-builtins/blob/main/proposals/js-string-builtins/Overview.md#wasmjs-string-equals) deliberately accepts null arguments.
(For the record, and as some validation that my interpretation of the spec is accurate, V8 behaves as expected.)
|
Reporter | |
Updated•1 year ago
|
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::JavaScript: WebAssembly' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 2•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
Backed out for causing failures at shadowrealm.html.
Backout link: https://hg.mozilla.org/integration/autoland/rev/00403b194b93a289793876ec885d52b45ed2851c
Failure log: https://treeherder.mozilla.org/logviewer?job_id=478243672&repo=autoland&lineNumber=23442
|
||
Comment 6•1 year ago
|
||
| bugherder | ||
Description
•