Bug 1884565: wasm: Fix assert in ArrayCopyFromData. r=rhunt

Differential Revision: https://phabricator.services.mozilla.com/D204285
dothq · Mar 12, 2024 · 0f159ce · 0f159ce
1 parent fce4caf
commit 0f159ce
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 3 deletions.
diff --git a/js/src/jit-test/tests/wasm/gc/arrays.js b/js/src/jit-test/tests/wasm/gc/arrays.js
@@ -604,7 +604,37 @@ assertErrorMessage(() => wasmEvalText(`(module
     },WebAssembly.RuntimeError, /index out of bounds/);
 }
 
-// run: zeroes everywhere
+// run: zero-length copies are allowed
+{
+  let { newData } = wasmEvalText(`(module
+      (type $a (array i8))
+      (data $d "1337")
+      (func (export "newData") (result eqref)
+              (; offset=0 into data ;) i32.const 0
+              (; size=0 into data ;) i32.const 0
+              array.new_data $a $d
+      )
+      )`).exports;
+  let arr = newData();
+  assertEq(wasmGcArrayLength(arr), 0);
+}
+
+// run: a zero-length copy from the end is allowed
+{
+  let { newData } = wasmEvalText(`(module
+      (type $a (array i8))
+      (data $d "1337")
+      (func (export "newData") (result eqref)
+              (; offset=4 into data ;) i32.const 4
+              (; size=0 into data ;) i32.const 0
+              array.new_data $a $d
+      )
+      )`).exports;
+  let arr = newData();
+  assertEq(wasmGcArrayLength(arr), 0);
+}
+
+// run: even empty data segments are allowed
 {
   let { newData } = wasmEvalText(`(module
       (type $a (array i8))
@@ -817,7 +847,45 @@ assertErrorMessage(() => wasmEvalText(`(module
     },WebAssembly.RuntimeError, /index out of bounds/);
 }
 
-// run: zeroes everywhere
+// run: zero-length copies are allowed
+{
+  let { newElem, f1, f2, f3, f4 } = wasmEvalText(`(module
+      (type $a (array funcref))
+      (elem $e func $f1 $f2 $f3 $f4)
+      (func $f1 (export "f1"))
+      (func $f2 (export "f2"))
+      (func $f3 (export "f3"))
+      (func $f4 (export "f4"))
+      (func (export "newElem") (result eqref)
+              (; offset=0 into elem ;) i32.const 0
+              (; size=0 into elem ;) i32.const 0
+              array.new_elem $a $e
+      )
+      )`).exports;
+  let arr = newElem();
+  assertEq(wasmGcArrayLength(arr), 0);
+}
+
+// run: a zero-length copy from the end is allowed
+{
+  let { newElem, f1, f2, f3, f4 } = wasmEvalText(`(module
+      (type $a (array funcref))
+      (elem $e func $f1 $f2 $f3 $f4)
+      (func $f1 (export "f1"))
+      (func $f2 (export "f2"))
+      (func $f3 (export "f3"))
+      (func $f4 (export "f4"))
+      (func (export "newElem") (result eqref)
+              (; offset=4 into elem ;) i32.const 4
+              (; size=0 into elem ;) i32.const 0
+              array.new_elem $a $e
+      )
+      )`).exports;
+  let arr = newElem();
+  assertEq(wasmGcArrayLength(arr), 0);
+}
+
+// run: even empty elem segments are allowed
 {
     let { newElem, f1, f2, f3, f4 } = wasmEvalText(`(module
         (type $a (array funcref))

diff --git a/js/src/wasm/WasmInstance.cpp b/js/src/wasm/WasmInstance.cpp
@@ -1531,7 +1531,7 @@ static bool ArrayCopyFromData(JSContext* cx, Handle<WasmArrayObject*> arrayObj,
 
   // Because `numBytesToCopy` is an in-range `CheckedUint32`, the cast to
   // `size_t` is safe even on a 32-bit target.
-  if (!seg->bytes.empty()) {
+  if (numElements != 0) {
     memcpy(arrayObj->data_, &seg->bytes[segByteOffset],
            size_t(numBytesToCopy.value()));
   }