[webkit-changes] [253303] trunk

[tzagallo]

Title: [253303] trunk

Revision

253303

Author

tzaga...@apple.com

Date

2019-12-09 15:23:51 -0800 (Mon, 09 Dec 2019)

Log Message

REGRESSION(r253140): WebAssembly validation should check for unmatched else before calling addElse/addElseToUnreachable
https://bugs.webkit.org/show_bug.cgi?id=205022
<rdar://problem/57748159>

Reviewed by Saam Barati.

JSTests:

* wasm/regress/unmatched-else.js: Added.
(catch):

Source/_javascript_Core:

When moving the validation code into the parser in r253140, I missed the validation check of whether
an if block was at the top of the control stack before calling addElse/addElseToUnreachable.

* wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h

Added Paths

• trunk/JSTests/wasm/regress/unmatched-else.js

Diff

Modified: trunk/JSTests/ChangeLog (253302 => 253303)

--- trunk/JSTests/ChangeLog	2019-12-09 22:53:28 UTC (rev 253302)
+++ trunk/JSTests/ChangeLog	2019-12-09 23:23:51 UTC (rev 253303)
@@ -1,3 +1,14 @@
+2019-12-09  Tadeu Zagallo  <tzaga...@apple.com>
+
+        REGRESSION(r253140): WebAssembly validation should check for unmatched else before calling addElse/addElseToUnreachable
+        https://bugs.webkit.org/show_bug.cgi?id=205022
+        <rdar://problem/57748159>
+
+        Reviewed by Saam Barati.
+
+        * wasm/regress/unmatched-else.js: Added.
+        (catch):
+
 2019-12-08  Tadeu Zagallo  <tzaga...@apple.com>
 
         [WebAssembly] Fix LLIntGenerator's checkConsistency contract

Added: trunk/JSTests/wasm/regress/unmatched-else.js (0 => 253303)

--- trunk/JSTests/wasm/regress/unmatched-else.js	                        (rev 0)
+++ trunk/JSTests/wasm/regress/unmatched-else.js	2019-12-09 23:23:51 UTC (rev 253303)
@@ -0,0 +1,7 @@
+try {
+    new WebAssembly.Module(new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 7, 1, 96, 3, 127, 127, 127, 0, 2, 12, 1, 2, 106, 115, 3, 109, 101, 109, 2, 1, 1, 1, 3, 2, 1, 0, 6, 1, 0, 7, 13, 1, 9, 100, 111, 95, 109, 101, 109, 99, 112, 121, 0, 0, 10, 57, 1, 55, 1, 1, 127, 65, 0, 33, 3, 3, 64, 2, 64, 32, 2, 32, 3, 70, 13, 0, 5, 1, 65, 4, 108, 32, 3, 65, 4, 108, 106, 32, 0, 32, 3, 65, 4, 108, 106, 40, 0, 0, 54, 0, 0, 32, 3, 65, 1, 0, 0, 0, 0, 0, 0, 0, 0 ]));
+    throw new Error('Module should have failed validation');
+} catch (err) {
+    if (err.message != "WebAssembly.Module doesn't validate: else block isn't associated to an if, in function at index 0 (evaluating 'new WebAssembly.Module')")
+        throw err;
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (253302 => 253303)

--- trunk/Source/_javascript_Core/ChangeLog	2019-12-09 22:53:28 UTC (rev 253302)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-12-09 23:23:51 UTC (rev 253303)
@@ -1,3 +1,18 @@
+2019-12-09  Tadeu Zagallo  <tzaga...@apple.com>
+
+        REGRESSION(r253140): WebAssembly validation should check for unmatched else before calling addElse/addElseToUnreachable
+        https://bugs.webkit.org/show_bug.cgi?id=205022
+        <rdar://problem/57748159>
+
+        Reviewed by Saam Barati.
+
+        When moving the validation code into the parser in r253140, I missed the validation check of whether
+        an if block was at the top of the control stack before calling addElse/addElseToUnreachable.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+
 2019-12-09  Mark Lam  <mark....@apple.com>
 
         GetByIdVariant::dumpInContext() should not ref UniqueStringImpls.

Modified: trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h (253302 => 253303)

--- trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h	2019-12-09 22:53:28 UTC (rev 253302)
+++ trunk/Source/_javascript_Core/wasm/WasmFunctionParser.h	2019-12-09 23:23:51 UTC (rev 253303)
@@ -729,8 +729,8 @@
 
         ControlEntry& controlEntry = m_controlStack.last();
 
+        WASM_VALIDATOR_FAIL_IF(!ControlType::isIf(controlEntry.controlData), "else block isn't associated to an if");
         WASM_FAIL_IF_HELPER_FAILS(unify(controlEntry.controlData));
-
         WASM_TRY_ADD_TO_CONTEXT(addElse(controlEntry.controlData, m_expressionStack));
         m_expressionStack = WTFMove(controlEntry.elseBlockStack);
         return { };
@@ -884,6 +884,7 @@
 
         ControlEntry& data = ""
         m_unreachableBlocks = 0;
+        WASM_VALIDATOR_FAIL_IF(!ControlType::isIf(data.controlData), "else block isn't associated to an if");
         WASM_TRY_ADD_TO_CONTEXT(addElseToUnreachable(data.controlData));
         m_expressionStack = WTFMove(data.elseBlockStack);
         return { };

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes