Title: [246516] trunk
- Revision
- 246516
- Author
- [email protected]
- Date
- 2019-06-17 15:00:07 -0700 (Mon, 17 Jun 2019)
Log Message
Validate that table element type is funcref if using an element section
https://bugs.webkit.org/show_bug.cgi?id=198910
Reviewed by Yusuke Suzuki.
JSTests:
* wasm/references/anyref_table.js:
Source/_javascript_Core:
Add missing validation when attempting to add an element section to an anyref table.
* wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseElement):
Modified Paths
Diff
Modified: trunk/JSTests/ChangeLog (246515 => 246516)
--- trunk/JSTests/ChangeLog 2019-06-17 21:44:23 UTC (rev 246515)
+++ trunk/JSTests/ChangeLog 2019-06-17 22:00:07 UTC (rev 246516)
@@ -1,3 +1,12 @@
+2019-06-17 Justin Michaud <[email protected]>
+
+ Validate that table element type is funcref if using an element section
+ https://bugs.webkit.org/show_bug.cgi?id=198910
+
+ Reviewed by Yusuke Suzuki.
+
+ * wasm/references/anyref_table.js:
+
2019-06-17 Yusuke Suzuki <[email protected]>
[JSC] Introduce DisposableCallSiteIndex to enforce type-safety
Modified: trunk/JSTests/wasm/references/anyref_table.js (246515 => 246516)
--- trunk/JSTests/wasm/references/anyref_table.js 2019-06-17 21:44:23 UTC (rev 246515)
+++ trunk/JSTests/wasm/references/anyref_table.js 2019-06-17 22:00:07 UTC (rev 246516)
@@ -60,6 +60,21 @@
fullGC()
assert.eq($1.exports.get_tbl().test, "test")
+assert.throws(() => new WebAssembly.Instance(new WebAssembly.Module((new Builder())
+ .Type().End()
+ .Function().End()
+ .Table()
+ .Table({initial: 3, maximum: 3, element: "anyref"})
+ .End()
+ .Element()
+ .Element({tableIndex: 0, offset: 0, functionIndices: [0]})
+ .End()
+ .Code()
+ .Function("ret42", { params: [], ret: "i32" })
+ .I32Const(42)
+ .End()
+ .End().WebAssembly().get())), Error, "WebAssembly.Module doesn't parse at byte 30: Table 0 must have type 'anyfunc' to have an element section (evaluating 'new WebAssembly.Module')")
+
function doGCSet() {
fullGC()
$1.exports.set_tbl({ test: -1 })
Modified: trunk/Source/_javascript_Core/ChangeLog (246515 => 246516)
--- trunk/Source/_javascript_Core/ChangeLog 2019-06-17 21:44:23 UTC (rev 246515)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-06-17 22:00:07 UTC (rev 246516)
@@ -1,3 +1,15 @@
+2019-06-17 Justin Michaud <[email protected]>
+
+ Validate that table element type is funcref if using an element section
+ https://bugs.webkit.org/show_bug.cgi?id=198910
+
+ Reviewed by Yusuke Suzuki.
+
+ Add missing validation when attempting to add an element section to an anyref table.
+
+ * wasm/WasmSectionParser.cpp:
+ (JSC::Wasm::SectionParser::parseElement):
+
2019-06-17 Tadeu Zagallo <[email protected]>
Concurrent GC should check the conn before starting a new collection cycle
Modified: trunk/Source/_javascript_Core/wasm/WasmSectionParser.cpp (246515 => 246516)
--- trunk/Source/_javascript_Core/wasm/WasmSectionParser.cpp 2019-06-17 21:44:23 UTC (rev 246515)
+++ trunk/Source/_javascript_Core/wasm/WasmSectionParser.cpp 2019-06-17 22:00:07 UTC (rev 246516)
@@ -379,6 +379,7 @@
WASM_PARSER_FAIL_IF(!parseVarUInt32(tableIndex), "can't get ", elementNum, "th Element table index");
WASM_PARSER_FAIL_IF(tableIndex >= m_info->tableCount(), "Element section for Table ", tableIndex, " exceeds available Table ", m_info->tableCount());
+ WASM_PARSER_FAIL_IF(m_info->tableInformation.type() != TableElementType::Funcref, "Table ", tableIndex, " must have type 'anyfunc' to have an element section");
Type initExprType;
WASM_FAIL_IF_HELPER_FAILS(parseInitExpr(initOpcode, initExprBits, initExprType));
WASM_PARSER_FAIL_IF(initExprType != I32, "Element init_expr must produce an i32");
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
