Changeset 265065 in webkit


Ignore:
Timestamp:
Jul 29, 2020 4:15:09 PM (4 years ago)
Author:
Tadeu Zagallo
Message:

WebAssembly validation for call_indirect is incorrect
https://bugs.webkit.org/show_bug.cgi?id=214901
<rdar://problem/65189677>

Reviewed by Saam Barati.

JSTests:

  • wasm/stress/validate-call_indirect.js: Added.

(try.main):
(catch):

Source/JavaScriptCore:

There was an incorrect condition when validating call_indirect's arguments, which often resulted in skipping this validation.

  • wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseExpression):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r265036 r265065  
     12020-07-29  Tadeu Zagallo  <tzagallo@apple.com>
     2
     3        WebAssembly validation for call_indirect is incorrect
     4        https://bugs.webkit.org/show_bug.cgi?id=214901
     5        <rdar://problem/65189677>
     6
     7        Reviewed by Saam Barati.
     8
     9        * wasm/stress/validate-call_indirect.js: Added.
     10        (try.main):
     11        (catch):
     12
    1132020-07-29  Paulo Matos  <pmatos@igalia.com>
    214

  • trunk/Source/JavaScriptCore/ChangeLog

    r265045 r265065  
     12020-07-29  Tadeu Zagallo  <tzagallo@apple.com>
     2
     3        WebAssembly validation for call_indirect is incorrect
     4        https://bugs.webkit.org/show_bug.cgi?id=214901
     5        <rdar://problem/65189677>
     6
     7        Reviewed by Saam Barati.
     8
     9        There was an incorrect condition when validating call_indirect's arguments, which often resulted in skipping this validation.
     10
     11        * wasm/WasmFunctionParser.h:
     12        (JSC::Wasm::FunctionParser<Context>::parseExpression):
     13
    1142020-07-29  Mark Lam  <mark.lam@apple.com>
    215

  • trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

    r254500 r265065  
    637637        for (size_t i = firstArgumentIndex; i < m_expressionStack.size(); ++i) {
    638638            TypedExpression arg = m_expressionStack.at(i);
    639             if (i < calleeSignature.argumentCount())
     639            if (i < m_expressionStack.size() - 1)
    640640                WASM_VALIDATOR_FAIL_IF(!isSubtype(arg.type(), calleeSignature.argument(i - firstArgumentIndex)), "argument type mismatch in call_indirect, got ", arg.type(), ", expected ", calleeSignature.argument(i - firstArgumentIndex));
    641641            args.uncheckedAppend(arg);
     
    643643        }
    644644        m_expressionStack.shrink(firstArgumentIndex);
    645 
    646 
    647645
    648646        ResultList results;
Note: See TracChangeset for help on using the changeset viewer.