diff --git a/js/src/jit-test/tests/asm.js/testBug1359612.js b/js/src/jit-test/tests/asm.js/testBug1359612.js new file mode 100644 index 000000000000..f2a2255322b6 --- /dev/null +++ b/js/src/jit-test/tests/asm.js/testBug1359612.js @@ -0,0 +1,9 @@ +load(libdir + 'asm.js'); + +asmLink(asmCompile('stdlib', 'foreign', USE_ASM + ` + var ff = foreign.ff; + function f() { + ff(+1); + } + return f +`), this, { ff: Math.log1p }); diff --git a/js/src/jit-test/tests/wasm/regress/builtin-import-sigs.js b/js/src/jit-test/tests/wasm/regress/builtin-import-sigs.js new file mode 100644 index 000000000000..a23dd9ddc41c --- /dev/null +++ b/js/src/jit-test/tests/wasm/regress/builtin-import-sigs.js @@ -0,0 +1,15 @@ +var code = wasmTextToBinary(`(module + (import $one "" "builtin") + (import $two "" "builtin" (param i32)) + (import $three "" "builtin" (result i32)) + (import $four "" "builtin" (result f32) (param f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32)) + (func (export "run") + (call $one) + (call $two (i32.const 0)) + (drop (call $three)) + (drop (call $four (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0) (f32.const 0))) + ) +)`); +var m = new WebAssembly.Module(code); +var i = new WebAssembly.Instance(m, {'':{builtin:Math.sin}}); +i.exports.run(); diff --git a/js/src/wasm/WasmBuiltins.cpp b/js/src/wasm/WasmBuiltins.cpp index ca8040a813ba..1c6d220ae21d 100644 --- a/js/src/wasm/WasmBuiltins.cpp +++ b/js/src/wasm/WasmBuiltins.cpp @@ -904,8 +904,8 @@ wasm::SymbolicAddressTarget(SymbolicAddress sym) return thunks.codeBase + thunks.codeRanges[codeRangeIndex].begin(); } -static ABIFunctionType -ToABIFunctionType(const Sig& sig) +static Maybe +ToBuiltinABIFunctionType(const Sig& sig) { const ValTypeVector& args = sig.args(); ExprType ret = sig.ret(); @@ -914,18 +914,21 @@ ToABIFunctionType(const Sig& sig) switch (ret) { case ExprType::F32: abiType = ArgType_Float32 << RetType_Shift; break; case ExprType::F64: abiType = ArgType_Double << RetType_Shift; break; - default: MOZ_CRASH("unhandled ret type"); + default: return Nothing(); } + if ((args.length() + 1) > (sizeof(uint32_t) * 8 / ArgType_Shift)) + return Nothing(); + for (size_t i = 0; i < args.length(); i++) { switch (args[i]) { case ValType::F32: abiType |= (ArgType_Float32 << (ArgType_Shift * (i + 1))); break; case ValType::F64: abiType |= (ArgType_Double << (ArgType_Shift * (i + 1))); break; - default: MOZ_CRASH("unhandled arg type"); + default: return Nothing(); } } - return ABIFunctionType(abiType); + return Some(ABIFunctionType(abiType)); } void* @@ -936,9 +939,11 @@ wasm::MaybeGetBuiltinThunk(HandleFunction f, const Sig& sig, JSContext* cx) if (!f->isNative() || !f->jitInfo() || f->jitInfo()->type() != JSJitInfo::InlinableNative) return nullptr; - InlinableNative native = f->jitInfo()->inlinableNative; - ABIFunctionType abiType = ToABIFunctionType(sig); - TypedNative typedNative(native, abiType); + Maybe abiType = ToBuiltinABIFunctionType(sig); + if (!abiType) + return nullptr; + + TypedNative typedNative(f->jitInfo()->inlinableNative, *abiType); const BuiltinThunks& thunks = *builtinThunks; auto p = thunks.typedNativeToCodeRange.readonlyThreadsafeLookup(typedNative);