Changeset 209955 in webkit


Ignore:
Timestamp:
Dec 16, 2016 7:19:48 PM (7 years ago)
Author:
sbarati@apple.com
Message:

WebAssembly: We still have some incorrect parsing productions inside unreachable code
https://bugs.webkit.org/show_bug.cgi?id=165981

Reviewed by Keith Miller.

This hardens our parsing for CallIndirect and Loop/Block/If to be exactly like their reachable variant.

It also fixes a more nefarious bug in which we were decoding an extra varuint32
for Br/BrIf inside unreachable code.

  • wasm/WasmFunctionParser.h:
Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r209954 r209955  
     12016-12-16  Saam Barati  <sbarati@apple.com>
     2
     3        WebAssembly: We still have some incorrect parsing productions inside unreachable code
     4        https://bugs.webkit.org/show_bug.cgi?id=165981
     5
     6        Reviewed by Keith Miller.
     7
     8        This hardens our parsing for CallIndirect and Loop/Block/If to be exactly like their reachable variant.
     9       
     10        It also fixes a more nefarious bug in which we were decoding an extra varuint32
     11        for Br/BrIf inside unreachable code.
     12
     13        * wasm/WasmFunctionParser.h:
     14
    1152016-12-16  Filip Pizlo  <fpizlo@apple.com>
    216

  • trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

    r209934 r209955  
    528528    case Block: {
    529529        m_unreachableBlocks++;
    530         int8_t unused;
    531         WASM_PARSER_FAIL_IF(!parseInt7(unused), "can't get inline type for ", op, " in unreachable context");
     530        Type unused;
     531        WASM_PARSER_FAIL_IF(!parseResultType(unused), "can't get inline type for ", op, " in unreachable context");
    532532        return { };
    533533    }
     
    546546    }
    547547
     548    case CallIndirect: {
     549        uint32_t unused;
     550        uint8_t unused2;
     551        WASM_PARSER_FAIL_IF(!parseVarUInt32(unused), "can't get call_indirect's signature index in unreachable context");
     552        WASM_PARSER_FAIL_IF(!parseVarUInt1(unused2), "can't get call_indirect's reserved byte in unreachable context");
     553        return { };
     554    }
    548555
    549556    // two immediate cases
    550557    FOR_EACH_WASM_MEMORY_LOAD_OP(CREATE_CASE)
    551     FOR_EACH_WASM_MEMORY_STORE_OP(CREATE_CASE)
    552     case Br:
    553     case BrIf:
    554     case CallIndirect: {
     558    FOR_EACH_WASM_MEMORY_STORE_OP(CREATE_CASE) {
    555559        uint32_t unused;
    556560        WASM_PARSER_FAIL_IF(!parseVarUInt32(unused), "can't get first immediate for ", op, " in unreachable context");
     
    569573    case GetGlobal:
    570574    case SetGlobal:
     575    case Br:
     576    case BrIf:
    571577    case Call: {
    572578        uint32_t unused;
Note: See TracChangeset for help on using the changeset viewer.