Skip to site navigation (Press enter)

[webkit-changes] [265065] trunk

tzagallo Wed, 29 Jul 2020 16:16:24 -0700

Title: [265065] trunk

Revision: 265065
Author: tzaga...@apple.com
Date: 2020-07-29 16:15:09 -0700 (Wed, 29 Jul 2020)

Log Message

WebAssembly validation for call_indirect is incorrect
https://bugs.webkit.org/show_bug.cgi?id=214901
<rdar://problem/65189677>


Reviewed by Saam Barati.

JSTests:

* wasm/stress/validate-call_indirect.js: Added.
(try.main):
(catch):

Source/_javascript_Core:

There was an incorrect condition when validating call_indirect's arguments, which often resulted in skipping this validation.

* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h

Added Paths

trunk/JSTests/wasm/stress/validate-call_indirect.js

Diff

Modified: trunk/JSTests/ChangeLog (265064 => 265065)


--- trunk/JSTests/ChangeLog	2020-07-29 22:47:43 UTC (rev 265064)
+++ trunk/JSTests/ChangeLog	2020-07-29 23:15:09 UTC (rev 265065)
@@ -1,3 +1,15 @@
+2020-07-29  Tadeu Zagallo  <tzaga...@apple.com>
+
+        WebAssembly validation for call_indirect is incorrect
+        https://bugs.webkit.org/show_bug.cgi?id=214901
+        <rdar://problem/65189677>
+
+        Reviewed by Saam Barati.
+
+        * wasm/stress/validate-call_indirect.js: Added.
+        (try.main):
+        (catch):
+
 2020-07-29  Paulo Matos  <pma...@igalia.com>
 
         for..of intrinsics implementation for 32bits

Added: trunk/JSTests/wasm/stress/validate-call_indirect.js (0 => 265065)


--- trunk/JSTests/wasm/stress/validate-call_indirect.js	                        (rev 0)
+++ trunk/JSTests/wasm/stress/validate-call_indirect.js	2020-07-29 23:15:09 UTC (rev 265065)
@@ -0,0 +1,21 @@
+let imports = {};
+let buffer = new Uint8Array([
+  0,97,115,109,1,0,0,0,1,8,1,96,1,124,3,127,127,127,3,2,1,0,
+  4,6,1,112,1,6,255,1,5,4,1,1,0,1,7,27,4,2,116,49,1,0,2,109,
+  49,2,0,4,109,97,105,110,0,0,6,109,101,109,111,114,121,2,0,
+  10,53,1,51,0,68,65,65,0,16,0,17,0,0,16,0,17,0,0,17,0,0,63,
+  0,65,248,2,68,65,65,0,16,15,0,103,17,0,0,16,0,17,0,0,17,0,
+  0,16,0,17,0,178,46,65,0,11,0,14,4,110,97,109,101,1,7,1,0,4,
+  109,97,105,110
+]);
+var error = undefined;
+try {
+    let module = new WebAssembly.Module(buffer);
+    let instance = new WebAssembly.Instance(module, imports);
+    main = function() { return instance.exports.main(); };
+    main();
+} catch (err) {
+    error = err;
+}
+if (!error || error.message !== "WebAssembly.Module doesn't validate: argument type mismatch in call_indirect, got I32, expected F64, in function at index 0 (evaluating 'new WebAssembly.Module(buffer)')")
+    throw "Expected validation error";

Modified: trunk/Source/_javascript_Core/ChangeLog (265064 => 265065)


--- trunk/Source/_javascript_Core/ChangeLog	2020-07-29 22:47:43 UTC (rev 265064)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-07-29 23:15:09 UTC (rev 265065)
@@ -1,3 +1,16 @@
+2020-07-29  Tadeu Zagallo  <tzaga...@apple.com>
+
+        WebAssembly validation for call_indirect is incorrect
+        https://bugs.webkit.org/show_bug.cgi?id=214901
+        <rdar://problem/65189677>
+
+        Reviewed by Saam Barati.
+
+        There was an incorrect condition when validating call_indirect's arguments, which often resulted in skipping this validation.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+
 2020-07-29  Mark Lam  <mark....@apple.com>
 
         Update some JSArrayBufferView comments and add some assertions.

Modified: trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h (265064 => 265065)


--- trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h	2020-07-29 22:47:43 UTC (rev 265064)
+++ trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h	2020-07-29 23:15:09 UTC (rev 265065)
@@ -636,7 +636,7 @@
         size_t firstArgumentIndex = m_expressionStack.size() - argumentCount;
         for (size_t i = firstArgumentIndex; i < m_expressionStack.size(); ++i) {
             TypedExpression arg = m_expressionStack.at(i);
-            if (i < calleeSignature.argumentCount())
+            if (i < m_expressionStack.size() - 1)
                 WASM_VALIDATOR_FAIL_IF(!isSubtype(arg.type(), calleeSignature.argument(i - firstArgumentIndex)), "argument type mismatch in call_indirect, got ", arg.type(), ", expected ", calleeSignature.argument(i - firstArgumentIndex));
             args.uncheckedAppend(arg);
             m_context.didPopValueFromStack();
@@ -643,8 +643,6 @@
         }
         m_expressionStack.shrink(firstArgumentIndex);
 
-
-
         ResultList results;
         WASM_TRY_ADD_TO_CONTEXT(addCallIndirect(tableIndex, calleeSignature, args, results));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes