[webkit-changes] [220908] releases/WebKitGTK/webkit-2.18

[carlosgc]

Title: [220908] releases/WebKitGTK/webkit-2.18

Revision

220908

Author

carlo...@webkit.org

Date

2017-08-18 00:50:41 -0700 (Fri, 18 Aug 2017)

Log Message

Merge r220894 - WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
https://bugs.webkit.org/show_bug.cgi?id=175693
<rdar://problem/33952443>

Reviewed by Saam Barati.

JSTests:

Add a regression directory for WebAssembly tests.

* wasm.yaml:
* wasm/regress/175693.js: Added.
(else.else):
(instance.new.WebAssembly.Instance.new.WebAssembly.Module):
(catch):
* wasm/regress/175693.wasm: Added.

Source/_javascript_Core:

64-bit constants in an unreachable context were being decoded as
32-bit constants. This is pretty benign because unreachable code
shouldn't occur often. The effect is that 64-bit constants which
can't be encoded as 32-bit constants would cause the binary to be
rejected.

At the same time, 32-bit integer constants should be decoded as signed.

* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

Modified Paths

• releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog
• releases/WebKitGTK/webkit-2.18/JSTests/wasm.yaml
• releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/wasm/WasmFunctionParser.h

Added Paths

• releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/
• releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.js
• releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.wasm

Diff

Modified: releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog (220907 => 220908)

--- releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog	2017-08-18 07:48:32 UTC (rev 220907)
+++ releases/WebKitGTK/webkit-2.18/JSTests/ChangeLog	2017-08-18 07:50:41 UTC (rev 220908)
@@ -1,3 +1,20 @@
+2017-08-17  JF Bastien  <jfbast...@apple.com>
+
+        WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
+        https://bugs.webkit.org/show_bug.cgi?id=175693
+        <rdar://problem/33952443>
+
+        Reviewed by Saam Barati.
+
+        Add a regression directory for WebAssembly tests.
+
+        * wasm.yaml:
+        * wasm/regress/175693.js: Added.
+        (else.else):
+        (instance.new.WebAssembly.Instance.new.WebAssembly.Module):
+        (catch):
+        * wasm/regress/175693.wasm: Added.
+
 2017-08-09  Caitlin Potter  <ca...@igalia.com>
 
         Early error on ANY operator before new.target

Added: releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.js (0 => 220908)

--- releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.js	2017-08-18 07:50:41 UTC (rev 220908)
@@ -0,0 +1,39 @@
+const file = "175693.wasm";
+
+if (typeof console === 'undefined') {
+  console = { log: print };
+}
+var binary;
+if (typeof process === 'object' && typeof require === 'function' /* node.js detection */) {
+  var args = process.argv.slice(2);
+  binary = require('fs').readFileSync(file);
+  if (!binary.buffer) binary = new Uint8Array(binary);
+} else {
+  var args;
+  if (typeof scriptArgs != 'undefined') {
+    args = scriptArgs;
+  } else if (typeof arguments != 'undefined') {
+    args = arguments;
+  }
+  if (typeof readbuffer === 'function') {
+    binary = new Uint8Array(readbuffer(file));
+  } else {
+    binary = read(file, 'binary');
+  }
+}
+var instance = new WebAssembly.Instance(new WebAssembly.Module(binary), {});
+if (instance.exports.hangLimitInitializer) instance.exports.hangLimitInitializer();
+try {
+  console.log('calling: func_0');
+instance.exports.func_0();
+} catch (e) {
+  console.log('   exception: ' + e);
+}
+if (instance.exports.hangLimitInitializer) instance.exports.hangLimitInitializer();
+try {
+  console.log('calling: hangLimitInitializer');
+instance.exports.hangLimitInitializer();
+} catch (e) {
+  console.log('   exception: ' + e);
+}
+console.log('done.')

Added: releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.wasm (0 => 220908)

--- releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.wasm	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.18/JSTests/wasm/regress/175693.wasm	2017-08-18 07:50:41 UTC (rev 220908)
@@ -0,0 +1,4 @@
+��asm
������
`����`
}
}`
|
|����






A!func_0����hangLimitInitializer��

+\xF5\xC1
~@#��E@#��A
k$��A\x97\x80y#��E@#��A
k$��A\x95\xF8~ApE+
E~ �� ��A\x80 
A\xF5zB\xFF\xFF
SEAɈ
A\x80\x80~E#��E@#��A
k$��A\xFF��A+��A\xFF\xFF
A\xCF\xEC\xBC~#��E@#��A
k$��A\xFF
Aq,��@\xAD��@A\x93AqAA\xFF\xFFA\xA2EAq*C������_}#��E@#��A
k$��B\x9FB\x80\x80\x80\x80\x80\x80\x80\x80\x80\x87 
UE}C����\x80_A|Aq*��A\xA0Aq,��C\xA6\xFF\xFF\xFF �� ��\x88����B\xFF
B\x80\x80\x80\x80xB\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80C��������\xBB\xABV������`����6��A$���� �� ��[} ��C���������� �� ��a| ��D����������������
\ No newline at end of file

Modified: releases/WebKitGTK/webkit-2.18/JSTests/wasm.yaml (220907 => 220908)

--- releases/WebKitGTK/webkit-2.18/JSTests/wasm.yaml	2017-08-18 07:48:32 UTC (rev 220907)
+++ releases/WebKitGTK/webkit-2.18/JSTests/wasm.yaml	2017-08-18 07:50:41 UTC (rev 220908)
@@ -35,6 +35,8 @@
   cmd: runWebAssembly unless parseRunCommands
 - path: wasm/lowExecutableMemory
   cmd: runWebAssemblyLowExecutableMemory unless parseRunCommands
+- path: wasm/regress/
+  cmd: runWebAssembly unless parseRunCommands
 
 - path: wasm/spec-tests/address.wast.js
   cmd: runWebAssemblySpecTest :normal

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (220907 => 220908)

--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-08-18 07:48:32 UTC (rev 220907)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-08-18 07:50:41 UTC (rev 220908)
@@ -1,3 +1,22 @@
+2017-08-17  JF Bastien  <jfbast...@apple.com>
+
+        WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
+        https://bugs.webkit.org/show_bug.cgi?id=175693
+        <rdar://problem/33952443>
+
+        Reviewed by Saam Barati.
+
+        64-bit constants in an unreachable context were being decoded as
+        32-bit constants. This is pretty benign because unreachable code
+        shouldn't occur often. The effect is that 64-bit constants which
+        can't be encoded as 32-bit constants would cause the binary to be
+        rejected.
+
+        At the same time, 32-bit integer constants should be decoded as signed.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+
 2017-08-17  Jacobo Aragunde Pérez  <jaragu...@igalia.com>
 
         [WPE][GTK] Ensure proper casting of data in gvariants

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/wasm/WasmFunctionParser.h (220907 => 220908)

--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/wasm/WasmFunctionParser.h	2017-08-18 07:48:32 UTC (rev 220907)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/wasm/WasmFunctionParser.h	2017-08-18 07:50:41 UTC (rev 220908)
@@ -604,8 +604,6 @@
     }
 
     // one immediate cases
-    case I32Const:
-    case I64Const:
     case SetLocal:
     case GetLocal:
     case TeeLocal:
@@ -619,6 +617,18 @@
         return { };
     }
 
+    case I32Const: {
+        int32_t unused;
+        WASM_PARSER_FAIL_IF(!parseVarInt32(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context");
+        return { };
+    }
+
+    case I64Const: {
+        int64_t unused;
+        WASM_PARSER_FAIL_IF(!parseVarInt64(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context");
+        return { };
+    }
+
     case GrowMemory:
     case CurrentMemory: {
         uint8_t reserved;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes