I seem to recall we discussed using a new Table in wasm-split, when reference types is set? Atm it looks like we reuse the table if one exists:
|
if (it == module.tables.end()) { |
|
// There is no indirect function table, so we will create one lazily. |
|
return; |
|
} |
|
|
|
activeTable = it->get(); |
The fuzzer errored on this, with exports like these:
(func $0
)
(func $1
(table.set $0
(i32.const 1)
(ref.null nofunc)
)
(unreachable)
)
(func $2
)
After splitting these three out, we end up with call_indirects in all three in the primary module. The secondary module's elem writes the proper function pointers, but when we call $1 we trample some of that data, leading to the third export trapping. That is, it is unsafe to use the table for normal stuff and also wasm-split stuff, without the two being aware of each other.
cc @tlively @aheejin
I seem to recall we discussed using a new Table in wasm-split, when reference types is set? Atm it looks like we reuse the table if one exists:
binaryen/src/ir/module-splitting.cpp
Lines 186 to 191 in 28e849b
The fuzzer errored on this, with exports like these:
After splitting these three out, we end up with
call_indirectsin all three in the primary module. The secondary module's elem writes the proper function pointers, but when we call$1we trample some of that data, leading to the third export trapping. That is, it is unsafe to use the table for normal stuff and also wasm-split stuff, without the two being aware of each other.cc @tlively @aheejin