[webkit-changes] [248989] trunk

[mark . lam]

Title: [248989] trunk

Revision

248989

Author

mark....@apple.com

Date

2019-08-21 18:42:22 -0700 (Wed, 21 Aug 2019)

Log Message

Wasm::FunctionParser is failing to enforce maxFunctionLocals.
https://bugs.webkit.org/show_bug.cgi?id=201016
<rdar://problem/54579911>

Reviewed by Yusuke Suzuki.

JSTests:

* wasm/stress/too-many-locals.js: Added.
(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):

Source/_javascript_Core:

Currently, Wasm::FunctionParser is allowing

    maxFunctionParams + maxFunctionLocals * maxFunctionLocals

... locals, which is 0x9502FCE8.  It should be enforcing max locals of
maxFunctionLocals instead.

* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parse):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h

Added Paths

• trunk/JSTests/wasm/stress/too-many-locals.js

Diff

Modified: trunk/JSTests/ChangeLog (248988 => 248989)

--- trunk/JSTests/ChangeLog	2019-08-22 01:25:48 UTC (rev 248988)
+++ trunk/JSTests/ChangeLog	2019-08-22 01:42:22 UTC (rev 248989)
@@ -1,3 +1,14 @@
+2019-08-21  Mark Lam  <mark....@apple.com>
+
+        Wasm::FunctionParser is failing to enforce maxFunctionLocals.
+        https://bugs.webkit.org/show_bug.cgi?id=201016
+        <rdar://problem/54579911>
+
+        Reviewed by Yusuke Suzuki.
+
+        * wasm/stress/too-many-locals.js: Added.
+        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.catch):
+
 2019-08-21  Ross Kirsling  <ross.kirsl...@sony.com>
 
         JSTests/stress/optional-chaining should not call shouldThrowTypeError in a loop

Added: trunk/JSTests/wasm/stress/too-many-locals.js (0 => 248989)

--- trunk/JSTests/wasm/stress/too-many-locals.js	                        (rev 0)
+++ trunk/JSTests/wasm/stress/too-many-locals.js	2019-08-22 01:42:22 UTC (rev 248989)
@@ -0,0 +1,33 @@
+import Builder from '../Builder.js'
+import * as assert from '../assert.js'
+
+{
+    const b = new Builder();
+    const locals = [];
+    const maxFunctionLocals = 50000;
+    const numLocals = maxFunctionLocals;
+    for (let i = 0; i < numLocals; ++i)
+        locals[i] = "i32";
+    let cont = b
+        .Type().End()
+        .Function().End()
+        .Export()
+            .Function("loop")
+        .End()
+        .Code()
+            .Function("loop", { params: ["i32"], ret: "i32" }, locals)
+                .I32Const(1)
+                .Return()
+            .End()
+        .End()
+
+    const bin = b.WebAssembly().get();
+    var exception;
+    try {
+        const module = new WebAssembly.Module(bin);
+    } catch (e) {
+        exception = "" + e;
+    }
+
+    assert.eq(exception, "Error: WebAssembly.Module doesn't parse at byte 100002: Function's number of locals is too big 50001 maximum 50000, in function at index 0 (evaluating 'new WebAssembly.Module(bin)')");
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (248988 => 248989)

--- trunk/Source/_javascript_Core/ChangeLog	2019-08-22 01:25:48 UTC (rev 248988)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-08-22 01:42:22 UTC (rev 248989)
@@ -1,3 +1,21 @@
+2019-08-21  Mark Lam  <mark....@apple.com>
+
+        Wasm::FunctionParser is failing to enforce maxFunctionLocals.
+        https://bugs.webkit.org/show_bug.cgi?id=201016
+        <rdar://problem/54579911>
+
+        Reviewed by Yusuke Suzuki.
+
+        Currently, Wasm::FunctionParser is allowing
+
+            maxFunctionParams + maxFunctionLocals * maxFunctionLocals
+
+        ... locals, which is 0x9502FCE8.  It should be enforcing max locals of
+        maxFunctionLocals instead.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parse):
+
 2019-08-21  Michael Saboff  <msab...@apple.com>
 
         [JSC] incorrent JIT lead to StackOverflow

Modified: trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h (248988 => 248989)

--- trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h	2019-08-22 01:25:48 UTC (rev 248988)
+++ trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h	2019-08-22 01:42:22 UTC (rev 248989)
@@ -115,18 +115,19 @@
 template<typename Context>
 auto FunctionParser<Context>::parse() -> Result
 {
-    uint32_t localCount;
+    uint32_t localGroupsCount;
 
     WASM_PARSER_FAIL_IF(!m_context.addArguments(m_signature), "can't add ", m_signature.argumentCount(), " arguments to Function");
-    WASM_PARSER_FAIL_IF(!parseVarUInt32(localCount), "can't get local count");
-    WASM_PARSER_FAIL_IF(localCount > maxFunctionLocals, "Function section's local count is too big ", localCount, " maximum ", maxFunctionLocals);
+    WASM_PARSER_FAIL_IF(!parseVarUInt32(localGroupsCount), "can't get local groups count");
 
-    for (uint32_t i = 0; i < localCount; ++i) {
+    uint64_t totalNumberOfLocals = m_signature.argumentCount();
+    for (uint32_t i = 0; i < localGroupsCount; ++i) {
         uint32_t numberOfLocals;
         Type typeOfLocal;
 
         WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfLocals), "can't get Function's number of locals in group ", i);
-        WASM_PARSER_FAIL_IF(numberOfLocals > maxFunctionLocals, "Function section's ", i, "th local group count is too big ", numberOfLocals, " maximum ", maxFunctionLocals);
+        totalNumberOfLocals += numberOfLocals;
+        WASM_PARSER_FAIL_IF(totalNumberOfLocals > maxFunctionLocals, "Function's number of locals is too big ", totalNumberOfLocals, " maximum ", maxFunctionLocals);
         WASM_PARSER_FAIL_IF(!parseValueType(typeOfLocal), "can't get Function local's type in group ", i);
         WASM_TRY_ADD_TO_CONTEXT(addLocal(typeOfLocal, numberOfLocals));
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes