Changeset 227994 in webkit
- Timestamp:
- Feb 1, 2018 8:30:37 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r227898 r227994 1 2018-02-01 Keith Miller <keith_miller@apple.com> 2 3 Fix crashes due to mishandling custom sections. 4 https://bugs.webkit.org/show_bug.cgi?id=182404 5 <rdar://problem/36935863> 6 7 Reviewed by Saam Barati. 8 9 * wasm/Builder.js: 10 (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section): 11 * wasm/js-api/validate.js: 12 (assert.truthy): 13 1 14 2018-01-31 Saam Barati <sbarati@apple.com> 2 15 -
trunk/JSTests/wasm/Builder.js
r216598 r227994 576 576 case "Element": 577 577 this[section] = function(...args) { 578 if (args.length !== 0 )578 if (args.length !== 0 && this._checked) 579 579 throw new Error("You're doing it wrong. This element does not take arguments. You must chain the call with another Element()"); 580 580 -
trunk/JSTests/wasm/js-api/validate.js
r214601 r227994 30 30 assert.truthy(WebAssembly.validate(builder.WebAssembly().get())); 31 31 } 32 33 { 34 const builder = (new Builder()); 35 builder.setChecked(false); 36 37 builder.Type().End() 38 .Import().Memory("imp", "memory", {initial: 20}).End() 39 .Unknown("test").End() 40 .Import().Memory("imp", "memory", {initial: 20}).End() 41 .Function().End() 42 .Export().End() 43 .Code() 44 .End(); 45 46 assert.falsy(WebAssembly.validate(builder.WebAssembly().get())); 47 } -
trunk/Source/JavaScriptCore/ChangeLog
r227970 r227994 1 2018-02-01 Keith Miller <keith_miller@apple.com> 2 3 Fix crashes due to mishandling custom sections. 4 https://bugs.webkit.org/show_bug.cgi?id=182404 5 <rdar://problem/36935863> 6 7 Reviewed by Saam Barati. 8 9 This also cleans up some of our validation code. We also 10 mistakenly, allowed unknown (different from custom sections with 11 id: 0) section ids. 12 13 * wasm/WasmModuleParser.cpp: 14 (JSC::Wasm::ModuleParser::parse): 15 * wasm/WasmModuleParser.h: 16 * wasm/WasmSections.h: 17 (JSC::Wasm::isKnownSection): 18 (JSC::Wasm::decodeSection): 19 (JSC::Wasm::validateOrder): 20 (JSC::Wasm::makeString): 21 (JSC::Wasm::isValidSection): Deleted. 22 1 23 2018-02-01 Michael Catanzaro <mcatanzaro@igalia.com> 2 24 -
trunk/Source/JavaScriptCore/wasm/WasmModuleParser.cpp
r225499 r227994 56 56 WASM_PARSER_FAIL_IF(versionNumber != expectedVersionNumber, "unexpected version number ", versionNumber, " expected ", expectedVersionNumber); 57 57 58 Section previousSection = Section::Custom; 58 // This is not really a known section. 59 Section previousKnownSection = Section::Begin; 59 60 while (m_offset < length()) { 60 61 uint8_t sectionByte; … … 63 64 64 65 Section section = Section::Custom; 65 if (sectionByte) { 66 if (isValidSection(sectionByte)) 67 section = static_cast<Section>(sectionByte); 68 } 66 WASM_PARSER_FAIL_IF(!decodeSection(sectionByte, section)); 67 ASSERT(section != Section::Begin); 69 68 70 69 uint32_t sectionLength; 71 WASM_PARSER_FAIL_IF(!validateOrder(previous Section, section), "invalid section order, ", previousSection, " followed by ", section);70 WASM_PARSER_FAIL_IF(!validateOrder(previousKnownSection, section), "invalid section order, ", previousKnownSection, " followed by ", section); 72 71 WASM_PARSER_FAIL_IF(!parseVarUInt32(sectionLength), "can't get ", section, " section's length"); 73 72 WASM_PARSER_FAIL_IF(sectionLength > length() - m_offset, section, "section of size ", sectionLength, " would overflow Module's size"); … … 81 80 break; \ 82 81 } 83 FOR_EACH_ WASM_SECTION(WASM_SECTION_PARSE)82 FOR_EACH_KNOWN_WASM_SECTION(WASM_SECTION_PARSE) 84 83 #undef WASM_SECTION_PARSE 85 84 … … 88 87 break; 89 88 } 89 90 case Section::Begin: { 91 RELEASE_ASSERT_NOT_REACHED(); 92 break; 93 } 90 94 } 91 95 92 96 WASM_PARSER_FAIL_IF(end != m_offset, "parsing ended before the end of ", section, " section"); 93 97 94 previousSection = section; 98 99 if (isKnownSection(section)) 100 previousKnownSection = section; 95 101 } 96 102 -
trunk/Source/JavaScriptCore/wasm/WasmModuleParser.h
r218216 r227994 49 49 50 50 #define WASM_SECTION_DECLARE_PARSER(NAME, ID, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME(); 51 FOR_EACH_ WASM_SECTION(WASM_SECTION_DECLARE_PARSER)51 FOR_EACH_KNOWN_WASM_SECTION(WASM_SECTION_DECLARE_PARSER) 52 52 #undef WASM_SECTION_DECLARE_PARSER 53 53 -
trunk/Source/JavaScriptCore/wasm/WasmSections.h
r214942 r227994 35 35 namespace JSC { namespace Wasm { 36 36 37 #define FOR_EACH_ WASM_SECTION(macro) \37 #define FOR_EACH_KNOWN_WASM_SECTION(macro) \ 38 38 macro(Type, 1, "Function signature declarations") \ 39 39 macro(Import, 2, "Import declarations") \ … … 49 49 50 50 enum class Section : uint8_t { 51 // It's important that Begin is less than every other section number and that Custom is greater. 52 // This only works because section numbers are currently monotonically increasing. 53 // Also, Begin is not a real section but is used as a marker for validating the ordering 54 // of sections. 55 Begin = 0, 51 56 #define DEFINE_WASM_SECTION_ENUM(NAME, ID, DESCRIPTION) NAME = ID, 52 FOR_EACH_ WASM_SECTION(DEFINE_WASM_SECTION_ENUM)57 FOR_EACH_KNOWN_WASM_SECTION(DEFINE_WASM_SECTION_ENUM) 53 58 #undef DEFINE_WASM_SECTION_ENUM 54 59 Custom 55 60 }; 61 static_assert(static_cast<uint8_t>(Section::Begin) < static_cast<uint8_t>(Section::Type), "Begin should come before the first known section."); 56 62 57 63 template<typename Int> 58 static inline bool isValidSection(Int section)64 inline bool isKnownSection(Int section) 59 65 { 60 66 switch (section) { 61 67 #define VALIDATE_SECTION(NAME, ID, DESCRIPTION) case static_cast<Int>(Section::NAME): return true; 62 FOR_EACH_ WASM_SECTION(VALIDATE_SECTION)68 FOR_EACH_KNOWN_WASM_SECTION(VALIDATE_SECTION) 63 69 #undef VALIDATE_SECTION 64 70 default: … … 67 73 } 68 74 69 static inline bool validateOrder(Section previous, Section next)75 inline bool decodeSection(uint8_t sectionByte, Section& section) 70 76 { 71 if (previous == Section::Custom) 77 section = Section::Custom; 78 if (!sectionByte) 72 79 return true; 73 return static_cast<uint8_t>(previous) < static_cast<uint8_t>(next); 80 81 if (!isKnownSection(sectionByte)) 82 return false; 83 84 section = static_cast<Section>(sectionByte); 85 return true; 74 86 } 75 87 76 static inline const char* makeString(Section section) 88 inline bool validateOrder(Section previousKnown, Section next) 89 { 90 ASSERT(isKnownSection(previousKnown) || previousKnown == Section::Begin); 91 return static_cast<uint8_t>(previousKnown) < static_cast<uint8_t>(next); 92 } 93 94 inline const char* makeString(Section section) 77 95 { 78 96 switch (section) { 97 case Section::Begin: 98 return "Begin"; 79 99 case Section::Custom: 80 100 return "Custom"; 81 101 #define STRINGIFY_SECTION_NAME(NAME, ID, DESCRIPTION) case Section::NAME: return #NAME; 82 FOR_EACH_ WASM_SECTION(STRINGIFY_SECTION_NAME)102 FOR_EACH_KNOWN_WASM_SECTION(STRINGIFY_SECTION_NAME) 83 103 #undef STRINGIFY_SECTION_NAME 84 104 }
Note: See TracChangeset
for help on using the changeset viewer.