edge case access to detached `ArrayBuffer`
zamfofex opened this issue · 2 comments
This library will sometimes generate code that looks something like this:
c.dv.getInt32((t2 = (f[256]())), 1)
If the function f[256]
happens to grow the memory, this code will be incorrect, because c.dv
has already been evaluated, and will refer to the previous DataView
, whose ArrayBuffer
has already been (explicitly) detached in f[256]
.
For that particular case, a correctly‐generated code might look something like this:
(t2 = f[256](), c.dv.getInt32(t2, 1))
This way, c.dv
will only be evaluated after f[256]
returns.
Thanks for the report. I can reproduce the issue. I guess this means that this concern can be hit in practice. I'll think about what to do here.
I was able to fix this by preventing the inlining of all child expressions into load
and store
and memory_copy
and memory_fill
opcodes. I avoided the performance hit by making an exception for const
and local_get
opcodes, which can't contain a memory_grow
opcode.