From b79f3a48140e99ac917274bfd680217fe28ae17c Mon Sep 17 00:00:00 2001 From: Alon Zakai Date: Wed, 14 Nov 2018 13:11:05 -0800 Subject: ReFinalize fix (#1742) Handle a corner case in ReFinalize, which incrementally re-types code after changes. The problem is that if we need to figure out the type of a block, we look to the last element flowing out, or to breaks with values. If there is no such last element, and the breaks are not taken - they have unreachable values - then they don't tell us the block's proper type. We asserted that in such a case the block still had a type, and didn't handle this. To fix it, we could look on the parent to see what type would fit. However, it seem simpler to just remove untaken breaks/switches as part of ReFinalization - they carry no useful info anyhow. After removing them, if the block has no other signal of a concrete type, it can just be unreachable. This bug existed for at least 1.5 years - I didn't look back further. I think it was noticed by the fuzzer now due to recent fuzzing improvements and optimizer improvements, as I just saw this bug found a second time. --- test/wasm2js/br.2asm.js | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'test/wasm2js') diff --git a/test/wasm2js/br.2asm.js b/test/wasm2js/br.2asm.js index a877618a1..bea5cf57b 100644 --- a/test/wasm2js/br.2asm.js +++ b/test/wasm2js/br.2asm.js @@ -510,7 +510,7 @@ function asmFunc(global, env, buffer) { } function $54() { - var $0 = 0, $1_1 = 0; + var $0 = 0; block : { block0 : { $0 = 8; @@ -523,10 +523,8 @@ function asmFunc(global, env, buffer) { function $55() { var $0 = 0, $1_1 = 0; block : { - block1 : { - $0 = 8; - break block; - }; + $0 = 8; + break block; }; return 1 + $0 | 0 | 0; } @@ -541,12 +539,10 @@ function asmFunc(global, env, buffer) { } function $57() { - var $0 = 0, $1_1 = 0; + var $0 = 0; block : { - block2 : { - $0 = 8; - break block; - }; + $0 = 8; + break block; }; return 1 + $0 | 0 | 0; } -- cgit v1.2.3