Changeset 220894 in webkit

Timestamp:

Aug 17, 2017 6:04:00 PM (7 years ago)

Author:

jfbastien@apple.com

Message:

WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
​https://bugs.webkit.org/show_bug.cgi?id=175693
<rdar://problem/33952443>

Reviewed by Saam Barati.

JSTests:

Add a regression directory for WebAssembly tests.

• wasm.yaml:
• wasm/regress/175693.js: Added.

(else.else):
(instance.new.WebAssembly.Instance.new.WebAssembly.Module):
(catch):

• wasm/regress/175693.wasm: Added.

Source/JavaScriptCore:

64-bit constants in an unreachable context were being decoded as
32-bit constants. This is pretty benign because unreachable code
shouldn't occur often. The effect is that 64-bit constants which
can't be encoded as 32-bit constants would cause the binary to be
rejected.

At the same time, 32-bit integer constants should be decoded as signed.

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm.yaml (modified) (1 diff)
• JSTests/wasm/regress (added)
• JSTests/wasm/regress/175693.js (added)
• JSTests/wasm/regress/175693.wasm (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-08-17  JF Bastien  <jfbastien@apple.com>
+
+        WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
+        https://bugs.webkit.org/show_bug.cgi?id=175693
+        <rdar://problem/33952443>
+
+        Reviewed by Saam Barati.
+
+        Add a regression directory for WebAssembly tests.
+
+        * wasm.yaml:
+        * wasm/regress/175693.js: Added.
+        (else.else):
+        (instance.new.WebAssembly.Instance.new.WebAssembly.Module):
+        (catch):
+        * wasm/regress/175693.wasm: Added.
+
 2017-08-15  Robin Morisset  <rmorisset@apple.com>
 

trunk/JSTests/wasm.yaml

@@ -36 +36 @@
 - path: wasm/lowExecutableMemory
   cmd: runWebAssemblyLowExecutableMemory unless parseRunCommands
+- path: wasm/regress/
+  cmd: runWebAssembly unless parseRunCommands
 
 - path: wasm/spec-tests/address.wast.js

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-08-17  JF Bastien  <jfbastien@apple.com>
+
+        WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
+        https://bugs.webkit.org/show_bug.cgi?id=175693
+        <rdar://problem/33952443>
+
+        Reviewed by Saam Barati.
+
+        64-bit constants in an unreachable context were being decoded as
+        32-bit constants. This is pretty benign because unreachable code
+        shouldn't occur often. The effect is that 64-bit constants which
+        can't be encoded as 32-bit constants would cause the binary to be
+        rejected.
+
+        At the same time, 32-bit integer constants should be decoded as signed.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+
 2017-08-17  Robin Morisset  <rmorisset@apple.com>
 

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -605 +605 @@
 
     // one immediate cases
-    case I32Const:
-    case I64Const:
     case SetLocal:
     case GetLocal:
@@ -620 +618 @@
     }
 
+    case I32Const: {
+        int32_t unused;
+        WASM_PARSER_FAIL_IF(!parseVarInt32(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context");
+        return { };
+    }
+
+    case I64Const: {
+        int64_t unused;
+        WASM_PARSER_FAIL_IF(!parseVarInt64(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context");
+        return { };
+    }
+
     case GrowMemory:
     case CurrentMemory: {