Diff
Modified: trunk/JSTests/ChangeLog (209873 => 209874)
--- trunk/JSTests/ChangeLog 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/JSTests/ChangeLog 2016-12-15 22:08:38 UTC (rev 209874)
@@ -1,3 +1,20 @@
+2016-12-15 JF Bastien <[email protected]>
+
+ WebAssembly API: improve data section errors
+ https://bugs.webkit.org/show_bug.cgi?id=165733
+
+ Reviewed by Keith Miller.
+
+ * wasm/js-api/element-data.js: Added.
+ (ElementBeforeData.set const):
+ (ElementBeforeData): check the order of initialization, which is observable on failure
+ * wasm/js-api/test_Data.js:
+ (DataSectionWithoutMemory):
+ (DataSectionOffTheEnd): Deleted.
+ (DataSectionPartlyOffTheEnd): Deleted.
+ (DataSectionEmptyOffTheEnd): Deleted.
+ (DataSectionSeenByStart): Deleted.
+
2016-12-15 Keith Miller <[email protected]>
Fix 64-bit shift family Wasm opcodes
Added: trunk/JSTests/wasm/js-api/element-data.js (0 => 209874)
--- trunk/JSTests/wasm/js-api/element-data.js (rev 0)
+++ trunk/JSTests/wasm/js-api/element-data.js 2016-12-15 22:08:38 UTC (rev 209874)
@@ -0,0 +1,47 @@
+import Builder from '../Builder.js';
+import * as assert from '../assert.js';
+
+const memSizeInPages = 1;
+const pageSizeInBytes = 64 * 1024;
+const memoryDescription = { initial: memSizeInPages, maximum: memSizeInPages };
+
+(function ElementBeforeData() {
+ const builder = (new Builder())
+ .Type().End()
+ .Import()
+ .Memory("imp", "memory", memoryDescription)
+ .Table("imp", "table", {element: "anyfunc", initial: 19}) // unspecified maximum.
+ .End()
+ .Function().End()
+ .Element()
+ .Element({offset: 19, functionIndices: [0, 0, 0, 0, 0]})
+ .End()
+ .Code()
+ .Function("foo", {params: ["i32"], ret: "i32"})
+ .GetLocal(0)
+ .I32Const(42)
+ .I32Add()
+ .Return()
+ .End()
+ .End()
+ .Data()
+ .Segment([0xde, 0xad, 0xbe, 0xef]).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ const module = new WebAssembly.Module(bin);
+ const memory = new WebAssembly.Memory(memoryDescription);
+ const table = new WebAssembly.Table({element: "anyfunc", initial: 19});
+ const imports = {
+ imp: {
+ memory: memory,
+ table: table,
+ }
+ };
+ assert.throws(() => new WebAssembly.Instance(module, imports), RangeError, `Element is trying to set an out of bounds table index`);
+ // On Element failure, the Data section shouldn't have executed.
+ const buffer = new Uint8Array(memory.buffer);
+ for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
+ const value = buffer[idx];
+ assert.eq(value, 0x00);
+ }
+})();
Modified: trunk/JSTests/wasm/js-api/test_Data.js (209873 => 209874)
--- trunk/JSTests/wasm/js-api/test_Data.js 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/JSTests/wasm/js-api/test_Data.js 2016-12-15 22:08:38 UTC (rev 209874)
@@ -4,9 +4,18 @@
const memSizeInPages = 1;
const pageSizeInBytes = 64 * 1024;
const memoryDescription = { initial: memSizeInPages, maximum: memSizeInPages };
+const emptyMemory = { initial: 0, maximum: 2 };
// FIXME Some corner cases are ill-specified: https://github.com/WebAssembly/design/issues/897
+const assertMemoryAllZero = memory => {
+ const buffer = new Uint8Array(memory.buffer);
+ for (let idx = 0; idx < buffer.length; ++idx) {
+ const value = buffer[idx];
+ assert.eq(value, 0x00);
+ }
+};
+
(function DataSection() {
const builder = (new Builder())
.Type().End()
@@ -36,6 +45,40 @@
}
})();
+(function DataSectionWithoutMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Data()
+ .Segment([0xff]).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ assert.throws(() => new WebAssembly.Module(bin), WebAssembly.CompileError, `couldn't parse section Data: Data segments (evaluating 'new WebAssembly.Module(bin)')`);
+})();
+
+(function EmptyDataSectionWithoutMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Data()
+ .Segment([]).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ assert.throws(() => new WebAssembly.Module(bin), WebAssembly.CompileError, `couldn't parse section Data: Data segments (evaluating 'new WebAssembly.Module(bin)')`);
+})();
+
+(function DataSectionBiggerThanMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Import().Memory("imp", "memory", memoryDescription).End()
+ .Data()
+ .Segment(Array(memSizeInPages * pageSizeInBytes + 1).fill(0xff)).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ const module = new WebAssembly.Module(bin);
+ const memory = new WebAssembly.Memory(memoryDescription);
+ assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Invalid data segment initialization: segment of 65537 bytes memory of 65536 bytes, at offset 0, segment is too big`);
+ assertMemoryAllZero(memory);
+})();
+
(function DataSectionOffTheEnd() {
const builder = (new Builder())
.Type().End()
@@ -46,12 +89,8 @@
const bin = builder.WebAssembly().get();
const module = new WebAssembly.Module(bin);
const memory = new WebAssembly.Memory(memoryDescription);
- assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Data segment initializes memory out of range`);
- const buffer = new Uint8Array(memory.buffer);
- for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
- const value = buffer[idx];
- assert.eq(value, 0x00);
- }
+ assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Invalid data segment initialization: segment of 1 bytes memory of 65536 bytes, at offset 65536, segment writes outside of memory`);
+ assertMemoryAllZero(memory);
})();
(function DataSectionPartlyOffTheEnd() {
@@ -64,12 +103,8 @@
const bin = builder.WebAssembly().get();
const module = new WebAssembly.Module(bin);
const memory = new WebAssembly.Memory(memoryDescription);
- assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Data segment initializes memory out of range`);
- const buffer = new Uint8Array(memory.buffer);
- for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
- const value = buffer[idx];
- assert.eq(value, 0x00);
- }
+ assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Invalid data segment initialization: segment of 2 bytes memory of 65536 bytes, at offset 65535, segment writes outside of memory`);
+ assertMemoryAllZero(memory);
})();
(function DataSectionEmptyOffTheEnd() {
@@ -83,13 +118,23 @@
const module = new WebAssembly.Module(bin);
const memory = new WebAssembly.Memory(memoryDescription);
const instance = new WebAssembly.Instance(module, { imp: { memory: memory } });
- const buffer = new Uint8Array(memory.buffer);
- for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
- const value = buffer[idx];
- assert.eq(value, 0x00);
- }
+ assertMemoryAllZero(memory);
})();
+(function DataSectionEmptyOffTheEndWithEmptyMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Import().Memory("imp", "memory", emptyMemory).End()
+ .Data()
+ .Segment([]).Offset(memSizeInPages * pageSizeInBytes).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ const module = new WebAssembly.Module(bin);
+ const memory = new WebAssembly.Memory(emptyMemory);
+ const instance = new WebAssembly.Instance(module, { imp: { memory: memory } });
+ assertMemoryAllZero(memory);
+})();
+
(function DataSectionSeenByStart() {
const offset = 1024;
const builder = (new Builder())
Modified: trunk/Source/_javascript_Core/ChangeLog (209873 => 209874)
--- trunk/Source/_javascript_Core/ChangeLog 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-12-15 22:08:38 UTC (rev 209874)
@@ -1,3 +1,16 @@
+2016-12-15 JF Bastien <[email protected]>
+
+ WebAssembly API: improve data section errors, initialize after Element
+ https://bugs.webkit.org/show_bug.cgi?id=165733
+
+ Reviewed by Keith Miller.
+
+ * wasm/WasmModuleParser.cpp:
+ (JSC::Wasm::ModuleParser::parseData): Data section without Memory section or import is a validation error
+ * wasm/js/WebAssemblyModuleRecord.cpp:
+ (JSC::dataSegmentFail):
+ (JSC::WebAssemblyModuleRecord::evaluate): tighten checks (though the spec isn't fully baked), and move after Element initialization
+
2016-12-15 Keith Miller <[email protected]>
Turn on WebAssembly by default
Modified: trunk/Source/_javascript_Core/wasm/WasmModuleParser.cpp (209873 => 209874)
--- trunk/Source/_javascript_Core/wasm/WasmModuleParser.cpp 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/Source/_javascript_Core/wasm/WasmModuleParser.cpp 2016-12-15 22:08:38 UTC (rev 209874)
@@ -724,6 +724,8 @@
bool ModuleParser::parseData()
{
uint32_t segmentCount;
+ if (!m_module->memory)
+ return false;
if (!parseVarUInt32(segmentCount)
|| segmentCount == std::numeric_limits<uint32_t>::max()
|| !m_module->data.tryReserveCapacity(segmentCount))
Modified: trunk/Source/_javascript_Core/wasm/js/WebAssemblyModuleRecord.cpp (209873 => 209874)
--- trunk/Source/_javascript_Core/wasm/js/WebAssemblyModuleRecord.cpp 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/Source/_javascript_Core/wasm/js/WebAssemblyModuleRecord.cpp 2016-12-15 22:08:38 UTC (rev 209874)
@@ -194,28 +194,17 @@
m_moduleEnvironment.set(vm, this, moduleEnvironment);
}
+template <typename Scope, typename N, typename ...Args>
+NEVER_INLINE static JSValue dataSegmentFail(ExecState* state, Scope& scope, N memorySize, N segmentSize, N offset, Args... args)
+{
+ return throwException(state, scope, createRangeError(state, makeString(ASCIILiteral("Invalid data segment initialization: segment of "), String::number(segmentSize), ASCIILiteral(" bytes memory of "), String::number(memorySize), ASCIILiteral(" bytes, at offset "), String::number(offset), args...)));
+}
+
JSValue WebAssemblyModuleRecord::evaluate(ExecState* state)
{
VM& vm = state->vm();
auto scope = DECLARE_THROW_SCOPE(vm);
- if (JSWebAssemblyMemory* jsMemory = m_instance->memory()) {
- uint8_t* memory = reinterpret_cast<uint8_t*>(jsMemory->memory()->memory());
- auto sizeInBytes = jsMemory->memory()->size();
- if (memory) {
- const Vector<Wasm::Segment::Ptr>& data = ""
- for (auto& segment : data) {
- if (segment->sizeInBytes) {
- if (sizeInBytes < segment->sizeInBytes
- || segment->offset > sizeInBytes
- || segment->offset > sizeInBytes - segment->sizeInBytes)
- return throwException(state, scope, createRangeError(state, ASCIILiteral("Data segment initializes memory out of range")));
- memcpy(memory + segment->offset, &segment->byte(0), segment->sizeInBytes);
- }
- }
- }
- }
-
{
JSWebAssemblyModule* module = m_instance->module();
const Wasm::ModuleInformation& moduleInformation = module->moduleInformation();
@@ -261,6 +250,26 @@
}
}
+ {
+ const Vector<Wasm::Segment::Ptr>& data = ""
+ JSWebAssemblyMemory* jsMemory = m_instance->memory();
+ if (!data.isEmpty()) {
+ RELEASE_ASSERT(jsMemory); // It is a validation error for a Data section to exist without a Memory section or import.
+ uint8_t* memory = reinterpret_cast<uint8_t*>(jsMemory->memory()->memory());
+ RELEASE_ASSERT(memory);
+ auto sizeInBytes = jsMemory->memory()->size();
+ for (auto& segment : data) {
+ if (segment->sizeInBytes) {
+ if (UNLIKELY(sizeInBytes < segment->sizeInBytes))
+ return dataSegmentFail(state, scope, sizeInBytes, segment->sizeInBytes, segment->offset, ASCIILiteral(", segment is too big"));
+ if (UNLIKELY(segment->offset > sizeInBytes - segment->sizeInBytes))
+ return dataSegmentFail(state, scope, sizeInBytes, segment->sizeInBytes, segment->offset, ASCIILiteral(", segment writes outside of memory"));
+ memcpy(memory + segment->offset, &segment->byte(0), segment->sizeInBytes);
+ }
+ }
+ }
+ }
+
if (WebAssemblyFunction* startFunction = m_startFunction.get()) {
ProtoCallFrame protoCallFrame;
protoCallFrame.init(nullptr, startFunction, JSValue(), 1, nullptr);
@@ -267,6 +276,7 @@
startFunction->call(vm, &protoCallFrame);
RETURN_IF_EXCEPTION(scope, { });
}
+
return jsUndefined();
}
