diff options
| author | Alon Zakai <azakai@google.com> | 2021-05-06 10:56:12 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-06 10:56:12 -0700 |
| commit | c79a0f8ab95e17203feeb919dcf4424ac6522110 (patch) | |
| tree | bcfe7be651f884fa44352dbfb0f7dee3d440181e /src/js/binaryen.js-extern-post.js | |
| parent | c84116dd715c3e548f6de1b8d2e2c29b5e248132 (diff) | |
| download | binaryen-c79a0f8ab95e17203feeb919dcf4424ac6522110.tar.gz binaryen-c79a0f8ab95e17203feeb919dcf4424ac6522110.tar.bz2 binaryen-c79a0f8ab95e17203feeb919dcf4424ac6522110.zip | |
Fix interpreting of a ref.cast of a function that is not on the module (#3863)
Binaryen allows optimizing functions in function-parallel passes while the
module is still being built, that is, while not all the other functions have
even been added to the module yet. Since the removal of asm2wasm that
has not been heavily tested, but the fuzzer found a closely related bug:
in passes like inlining-optimizing, that inline and then optimize the
functions we inlined into, the mechanism for optimizing only the relevant
functions is to create a module with only some of them. (We only want to
optimize the relevant ones, that we inlined into, because this happens
after the main optimization pipeline - we don't want to re-optimize all the
functions if we just inlined into one of them.)
The specific bug here is that ref.cast of a funcref looked up the target
function on the module (in order to get its signature, to see if the cast
has the right RTT for it). The fix is to return a nonconstant flow in that
case, as it is something we cannot precompute. (This does mean we
may miss some optimization opportunities, but as in the case of where
we optimize functions before the module is fully built up, we do still
get 99% of function-local optimizations that way, and a subsequent
round of full optimizations can be done later if necessary.)
Diffstat (limited to 'src/js/binaryen.js-extern-post.js')
0 files changed, 0 insertions, 0 deletions