Google Git
Sign in
dawn / dawn / eb34f73e1199295a0997a3debb1fb1ba19c2b747^! / .
commiteb34f73e1199295a0997a3debb1fb1ba19c2b747[log] [tgz]
authorLokbondo Kung <lokokung@google.com>Fri Jun 06 01:17:27 2025 -0700
committerDawn LUCI CQ <dawn-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri Jun 06 01:17:27 2025 -0700
tree8a959cd0c8016978504f1afbb5fb18aed4ccb211
parent7631bdf0de44e8af6ca0d71df5f4dbf651f7494f [diff]
[dawn][emscripten] Convert ptrs to unsigned when using in JS map.

- Some users found that if the linkopts used to build the bindings
  are not the same as the linkopts used in dependencies, we can have
  issues where WASM allocates pointer addresses that have their top
  bit set. When used incorrectly, this results in negative values
  being used to access the map and causes crashes. As a result, we
  force all pointers to be unsigned before looking up or storing
  them into the JS map.

Bug: 422847728
No-Try: true
Change-Id: I6a7028a273f2d0dfec5d399ba535774a66eb67ef
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/245794
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>
Auto-Submit: Loko Kung <lokokung@google.com>

diff --git a/third_party/emdawnwebgpu/pkg/webgpu/src/library_webgpu.js b/third_party/emdawnwebgpu/pkg/webgpu/src/library_webgpu.js
index 7198a61..049b0c0 100644
--- a/third_party/emdawnwebgpu/pkg/webgpu/src/library_webgpu.js
+++ b/third_party/emdawnwebgpu/pkg/webgpu/src/library_webgpu.js

@@ -93,7 +93,10 @@
       // care about object type, and is keyed on the pointer address.
       jsObjects: [],
       jsObjectInsert: (ptr, jsObject) => {
-        WebGPU.Internals.jsObjects[ptr] = jsObject;
+        // TODO(crbug.com/422847728): If the bindings aren't built with the same
+        // linkopts as dependencies, i.e. in google3, the pointers can be signed
+        // ints and results in crashes, so force the pointers to be unsigned.
+        WebGPU.Internals.jsObjects[(ptr >>>= 0)] = jsObject;
       },
 
       // Buffer unmapping callbacks are stored in a separate table to keep
@@ -129,10 +132,14 @@
     // because importing is not a "move" into the API, rather just a "copy".
     getJsObject: (ptr) => {
       if (!ptr) return undefined;
+      // TODO(crbug.com/422847728): If the bindings aren't built with the same
+      // linkopts as dependencies, i.e. in google3, the pointers can be signed
+      // ints and results in crashes, so force the pointers to be unsigned.
+      var key = (ptr >>>= 0);
 #if ASSERTIONS
-      assert(ptr in WebGPU.Internals.jsObjects);
+      assert(key in WebGPU.Internals.jsObjects);
 #endif
-      return WebGPU.Internals.jsObjects[ptr];
+      return WebGPU.Internals.jsObjects[key];
     },
     {{{ gpu.makeImportJsObject('Adapter') }}}
     {{{ gpu.makeImportJsObject('BindGroup') }}}