Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: afc44e359ac3bae0506832f52a4b691f7d3c28cf
https://github.com/WebKit/WebKit/commit/afc44e359ac3bae0506832f52a4b691f7d3c28cf
Author: Sosuke Suzuki <[email protected]>
Date: 2026-05-07 (Thu, 07 May 2026)
Changed paths:
A JSTests/wasm/stress/memory64-atomic-notify-out-of-bounds.js
M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
Log Message:
-----------
[JSC] IPInt slow path for `memory.atomic.notify` truncates the Memory64
pointer and offset to 32 bits
https://bugs.webkit.org/show_bug.cgi?id=314260
Reviewed by Keith Miller.
The IPInt assembly pushes the i64 address operand and the 64-bit immediate
offset to the stack as full 64-bit values, but the C++ slow path reads them
back through the `.i32` member of the IPIntStackEntry union, dropping the
upper 32 bits. For Memory64, an out-of-bounds address such as 2^32 truncates
to 0 and the bounds check is fooled into accepting it.
Test: JSTests/wasm/stress/memory64-atomic-notify-out-of-bounds.js
* JSTests/wasm/stress/memory64-atomic-notify-out-of-bounds.js: Added.
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::WASM_IPINT_EXTERN_CPP_DECL):
Canonical link: https://commits.webkit.org/312831@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
