[webkit-changes] [WebKit/WebKit] a0d2ee: [JSC][Wasm] IPInt memory.atomic.notify/wait and me...

Tue, 09 Jun 2026 22:48:02 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a0d2eebf9e1306df75e2adedb700d32e4c5a0ca2
      
https://github.com/WebKit/WebKit/commit/a0d2eebf9e1306df75e2adedb700d32e4c5a0ca2
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-09 (Tue, 09 Jun 2026)

  Changed paths:
    A JSTests/wasm/stress/memory32-atomics-pointer-upper-bits.js
    A JSTests/wasm/stress/memory32-grow-upper-bits.js
    M Source/JavaScriptCore/llint/InPlaceInterpreter64.asm
    M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp

  Log Message:
  -----------
  [JSC][Wasm] IPInt memory.atomic.notify/wait and memory.grow mishandle dirty 
upper bits of i32 operands
https://bugs.webkit.org/show_bug.cgi?id=316507

Reviewed by Yusuke Suzuki.

In IPInt, an i32 value's stack slot is not guaranteed to have zeroed
upper bits because i32.wrap_i64 is a no-op, so consumers reading a
slot as 64 bits must normalize it to the low 32 bits, the way
popMemoryIndex does with zxi2q.

Four sites read the full 64-bit slot for a memory32 operand without
normalizing: the memory.atomic.notify and memory.grow C++ slow paths,
and the memory.atomic.wait32/wait64 assembly fast paths. As a result,
an in-bounds address (or a valid grow delta) with dirty upper bits is
wrongly rejected. The notify case is a regression from 312831@main,
which fixed the opposite Memory64 truncation bug; the others are
pre-existing.

Fix notify and grow in C++ with the same isMemory64() check as
memory.init/copy/fill. Fix wait32/wait64 in assembly because the slow
path receives the pointer with the offset already added, which is too
late to normalize.

Tests: JSTests/wasm/stress/memory32-atomics-pointer-upper-bits.js
       JSTests/wasm/stress/memory32-grow-upper-bits.js

* JSTests/wasm/stress/memory32-atomics-pointer-upper-bits.js: Added.
* JSTests/wasm/stress/memory32-grow-upper-bits.js: Added.
* Source/JavaScriptCore/llint/InPlaceInterpreter64.asm:
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::WASM_IPINT_EXTERN_CPP_DECL):

Canonical link: https://commits.webkit.org/314871@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to