Changeset 269998 in webkit

Timestamp:

Nov 18, 2020 3:50:34 PM (3 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Improve Wasm binary test coverage
​https://bugs.webkit.org/show_bug.cgi?id=204843

Reviewed by Darin Adler.

JSTests:

• wasm/function-tests/grow-memory.js:

(binaryShouldNotParse):

• wasm/spec-tests/binary-leb128.wast.js:
• wasm/spec-tests/binary.wast.js:
• wasm/wasm.json:

Source/JavaScriptCore:

This patch fixes some of bugs in wasm parser so that we validate malformed wasm modules more strictly.

1. current_memory / grow_memory should have uint8 flag, not varuint32 flag.
2. global section should have uint8 mutability information, not varuint32.
3. memory section should have varuint32 memory count.

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

• wasm/WasmSectionParser.cpp:

(JSC::Wasm::SectionParser::parseResizableLimits):
(JSC::Wasm::SectionParser::parseMemory):
(JSC::Wasm::SectionParser::parseGlobalType):

• wasm/wasm.json:

Source/WTF:

LEBDecoder should have more strict validation. One thing is that, we should reject pattern that includes ignored bits.
For example, in uint32_t, we can represent UINT32_MAX in 5 bytes like this.

0xff, 0xff, 0xff, 0xff, 0x0f
0b1111111_1111111_1111111_1111111_1111

Leading bytes has 0x80 trailing marker. And they includes each 7 bit slice. And the last byte includes 0b1111 part.
But we can also make it in the following form

0xff, 0xff, 0xff, 0xff, 0xff
0b1111111_1111111_1111111_1111111_1111

In the above case, the last byte's upper 4 bits are ignored in the result, and this is wrong in LEB128 encoding.
We should reject this input since the last byte includes overflown bits.
This patch adds this validation to WTF.

• wtf/LEBDecoder.h:

(WTF::LEBDecoder::maxByteLength):
(WTF::LEBDecoder::lastByteMask):
(WTF::LEBDecoder::decodeUInt):
(WTF::LEBDecoder::decodeInt):

Tools:

We add more tests for LEBDecoder. In particular, the added tests focus on the case which overflow bits.

• TestWebKitAPI/Tests/WTF/LEBDecoder.cpp:

(TestWebKitAPI::toString):
(TestWebKitAPI::testUInt32LEBDecode):
(TestWebKitAPI::TEST):
(TestWebKitAPI::testUInt64LEBDecode):
(TestWebKitAPI::testInt32LEBDecode):
(TestWebKitAPI::testInt64LEBDecode):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/Builder_WebAssemblyBinary.js (modified) (2 diffs)
• JSTests/wasm/function-tests/grow-memory.js (modified) (2 diffs)
• JSTests/wasm/spec-tests/binary-leb128.wast.js (modified) (3 diffs)
• JSTests/wasm/spec-tests/binary.wast.js (modified) (7 diffs)
• JSTests/wasm/wasm.json (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmSectionParser.cpp (modified) (4 diffs)
• Source/JavaScriptCore/wasm/wasm.json (modified) (1 diff)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/HexNumber.cpp (modified) (2 diffs)
• Source/WTF/wtf/HexNumber.h (modified) (1 diff)
• Source/WTF/wtf/LEBDecoder.h (modified) (5 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WTF/LEBDecoder.cpp (modified) (13 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-11-17  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Improve Wasm binary test coverage
+        https://bugs.webkit.org/show_bug.cgi?id=204843
+
+        Reviewed by Darin Adler.
+
+        * wasm/function-tests/grow-memory.js:
+        (binaryShouldNotParse):
+        * wasm/spec-tests/binary-leb128.wast.js:
+        * wasm/spec-tests/binary.wast.js:
+        * wasm/wasm.json:
+
 2020-11-18  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/JSTests/wasm/Builder_WebAssemblyBinary.js

@@ -39 +39 @@
     }
 
-    put(bin, "varuint1", hasMaximum);
+    put(bin, "uint8", hasMaximum);
     put(bin, "varuint32", initial);
     if (hasMaximum)
@@ -56 +56 @@
 const putGlobalType = (bin, global) => {
     put(bin, valueType, WASM.typeValue[global.type]);
-    put(bin, "varuint1", global.mutability);
+    put(bin, "uint8", global.mutability);
 };
 

trunk/JSTests/wasm/function-tests/grow-memory.js

@@ -67 +67 @@
         .End();
 
-    binaryShouldNotParse(builder, "reserved varUint1 for grow_memory must be zero");
+    binaryShouldNotParse(builder, "reserved byte for grow_memory must be zero");
 }
 
@@ -84 +84 @@
         .End();
 
-    binaryShouldNotParse(builder, "reserved varUint1 for current_memory must be zero");
-}
-
-{
-    const builder = (new Builder())
-        .Type().End()
-        .Function().End()
-        .Memory().InitialMaxPages(1, 1).End()
-        .Export().End()
-        .Code()
-            .Function({ret: "void", params: []})
-                .I32Const(25)
-                .CurrentMemory(0xffffff00)
-                .Drop()
-            .End()
-        .End();
-
-    binaryShouldNotParse(builder, "can't parse reserved varUint1 for current_memory");
-}
-
-{
-    const builder = (new Builder())
-        .Type().End()
-        .Function().End()
-        .Memory().InitialMaxPages(1, 1).End()
-        .Export().End()
-        .Code()
-            .Function({ret: "void", params: []})
-                .I32Const(25)
-                .GrowMemory(0xffffff00)
-                .Drop()
-            .End()
-        .End();
-
-    binaryShouldNotParse(builder, "can't parse reserved varUint1 for grow_memory");
+    binaryShouldNotParse(builder, "reserved byte for current_memory must be zero");
+}
+
+{
+    const builder = (new Builder())
+        .Type().End()
+        .Function().End()
+        .Memory().InitialMaxPages(1, 1).End()
+        .Export().End()
+        .Code()
+            .Function({ret: "void", params: []})
+                .I32Const(25)
+                .CurrentMemory(0xff)
+                .Drop()
+            .End()
+        .End();
+
+    binaryShouldNotParse(builder, "reserved byte for current_memory must be zero");
+}
+
+{
+    const builder = (new Builder())
+        .Type().End()
+        .Function().End()
+        .Memory().InitialMaxPages(1, 1).End()
+        .Export().End()
+        .Code()
+            .Function({ret: "void", params: []})
+                .I32Const(25)
+                .GrowMemory(0xff)
+                .Drop()
+            .End()
+        .End();
+
+    binaryShouldNotParse(builder, "reserved byte for grow_memory must be zero");
 }
 

trunk/JSTests/wasm/spec-tests/binary-leb128.wast.js

@@ -16 +16 @@
 
 // binary-leb128.wast:32
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
+// This is skipped because this module becomes invalid if wasm-reference is enabled. And we are supporting it.
+// https://webassembly.github.io/reference-types/core/binary/modules.html#element-section
 // let $6 = instance("\x00\x61\x73\x6d\x01\x00\x00\x00\x04\x04\x01\x70\x00\x00\x09\x07\x01\x80\x00\x41\x00\x0b\x00");
 
@@ -147 +147 @@
 
 // binary-leb128.wast:524
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x07\x01\x00\x82\x80\x80\x80\x70");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x07\x01\x00\x82\x80\x80\x80\x70");
 
 // binary-leb128.wast:532
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x07\x01\x00\x82\x80\x80\x80\x40");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x07\x01\x00\x82\x80\x80\x80\x40");
 
 // binary-leb128.wast:540
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x09\x01\x01\x82\x00\x82\x80\x80\x80\x10");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x09\x01\x01\x82\x00\x82\x80\x80\x80\x10");
 
 // binary-leb128.wast:549
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x09\x01\x01\x82\x00\x82\x80\x80\x80\x40");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x09\x01\x01\x82\x00\x82\x80\x80\x80\x40");
 
 // binary-leb128.wast:558
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x03\x01\x00\x00\x0b\x0a\x01\x80\x80\x80\x80\x10\x41\x00\x0b\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x03\x01\x00\x00\x0b\x0a\x01\x80\x80\x80\x80\x10\x41\x00\x0b\x00");
 
 // binary-leb128.wast:569
@@ -175 +165 @@
 
 // binary-leb128.wast:580
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x00\x83\x80\x80\x80\x10\x01\x31\x32");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x00\x83\x80\x80\x80\x10\x01\x31\x32");
 
 // binary-leb128.wast:591
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x00\x09\x83\x80\x80\x80\x40\x31\x32\x33\x34");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x00\x09\x83\x80\x80\x80\x40\x31\x32\x33\x34");
 
 // binary-leb128.wast:602
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x0b\x01\x60\x82\x80\x80\x80\x10\x7f\x7e\x01\x7f");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x0b\x01\x60\x82\x80\x80\x80\x10\x7f\x7e\x01\x7f");
 
 // binary-leb128.wast:614
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x0b\x01\x60\x02\x7f\x7e\x81\x80\x80\x80\x40\x7f");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x0b\x01\x60\x02\x7f\x7e\x81\x80\x80\x80\x40\x7f");
 
 // binary-leb128.wast:626
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\x60\x01\x7f\x00\x02\x1a\x01\x88\x80\x80\x80\x10\x73\x70\x65\x63\x74\x65\x73\x74\x09\x70\x72\x69\x6e\x74\x5f\x69\x33\x32\x00\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\x60\x01\x7f\x00\x02\x1a\x01\x88\x80\x80\x80\x10\x73\x70\x65\x63\x74\x65\x73\x74\x09\x70\x72\x69\x6e\x74\x5f\x69\x33\x32\x00\x00");
 
 // binary-leb128.wast:641
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\x60\x01\x7f\x00\x02\x1a\x01\x08\x73\x70\x65\x63\x74\x65\x73\x74\x89\x80\x80\x80\x40\x70\x72\x69\x6e\x74\x5f\x69\x33\x32\x00\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\x60\x01\x7f\x00\x02\x1a\x01\x08\x73\x70\x65\x63\x74\x65\x73\x74\x89\x80\x80\x80\x40\x70\x72\x69\x6e\x74\x5f\x69\x33\x32\x00\x00");
 
 // binary-leb128.wast:656
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\x60\x01\x7f\x00\x02\x1a\x01\x08\x73\x70\x65\x63\x74\x65\x73\x74\x09\x70\x72\x69\x6e\x74\x5f\x69\x33\x32\x00\x80\x80\x80\x80\x10");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\x60\x01\x7f\x00\x02\x1a\x01\x08\x73\x70\x65\x63\x74\x65\x73\x74\x09\x70\x72\x69\x6e\x74\x5f\x69\x33\x32\x00\x80\x80\x80\x80\x10");
 
 // binary-leb128.wast:671
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x06\x01\x80\x80\x80\x80\x10\x0a\x04\x01\x02\x00\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x06\x01\x80\x80\x80\x80\x10\x0a\x04\x01\x02\x00\x0b");
 
 // binary-leb128.wast:684
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x07\x0a\x01\x82\x80\x80\x80\x10\x66\x31\x00\x00\x0a\x04\x01\x02\x00\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x07\x0a\x01\x82\x80\x80\x80\x10\x66\x31\x00\x00\x0a\x04\x01\x02\x00\x0b");
 
 // binary-leb128.wast:700
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x07\x0a\x01\x02\x66\x31\x00\x80\x80\x80\x80\x10\x0a\x04\x01\x02\x00\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x07\x0a\x01\x02\x66\x31\x00\x80\x80\x80\x80\x10\x0a\x04\x01\x02\x00\x0b");
 
 // binary-leb128.wast:716
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x0a\x08\x81\x80\x80\x80\x10\x02\x00\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x0a\x08\x81\x80\x80\x80\x10\x02\x00\x0b");
 
 // binary-leb128.wast:729
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x02\x82\x80\x80\x80\x10\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x02\x82\x80\x80\x80\x10\x1a\x0b");
 
 // binary-leb128.wast:748
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x02\x82\x80\x80\x80\x40\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x02\x82\x80\x80\x80\x40\x1a\x0b");
 
 // binary-leb128.wast:767
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x82\x80\x80\x80\x10\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x82\x80\x80\x80\x10\x00\x1a\x0b");
 
 // binary-leb128.wast:785
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x82\x80\x80\x80\x40\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x10\x01\x0e\x01\x01\x7f\x41\x00\x28\x82\x80\x80\x80\x40\x00\x1a\x0b");
 
 // binary-leb128.wast:804
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x82\x80\x80\x80\x10\x03\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x82\x80\x80\x80\x10\x03\x0b");
 
 // binary-leb128.wast:823
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x82\x80\x80\x80\x40\x03\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x82\x80\x80\x80\x40\x03\x0b");
 
 // binary-leb128.wast:842
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x02\x82\x80\x80\x80\x10\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x02\x82\x80\x80\x80\x10\x0b");
 
 // binary-leb128.wast:861
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x02\x82\x80\x80\x80\x40\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x0a\x11\x01\x0f\x01\x01\x7f\x41\x00\x41\x03\x36\x02\x82\x80\x80\x80\x40\x0b");
 
 // binary-leb128.wast:883
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\x80\x80\x80\x80\x70\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\x80\x80\x80\x80\x70\x0b");
 
 // binary-leb128.wast:893
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\xff\xff\xff\xff\x0f\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\xff\xff\xff\xff\x0f\x0b");
 
 // binary-leb128.wast:903
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\x80\x80\x80\x80\x1f\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\x80\x80\x80\x80\x1f\x0b");
 
 // binary-leb128.wast:913
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\xff\xff\xff\xff\x4f\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0a\x01\x7f\x00\x41\xff\xff\xff\xff\x4f\x0b");
 
 // binary-leb128.wast:924
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\x80\x80\x80\x80\x80\x80\x80\x80\x80\x7e\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\x80\x80\x80\x80\x80\x80\x80\x80\x80\x7e\x0b");
 
 // binary-leb128.wast:934
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\xff\xff\xff\xff\xff\xff\xff\xff\xff\x01\x0b");
 
 // binary-leb128.wast:944
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\x80\x80\x80\x80\x80\x80\x80\x80\x80\x02\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\x80\x80\x80\x80\x80\x80\x80\x80\x80\x02\x0b");
 
 // binary-leb128.wast:954
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\xff\xff\xff\xff\xff\xff\xff\xff\xff\x41\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x06\x0f\x01\x7e\x00\x42\xff\xff\xff\xff\xff\xff\xff\xff\xff\x41\x0b");
 
 // binary-leb128.wast:966
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
+// https://bugs.webkit.org/show_bug.cgi?id=173471
+// FIXME: Implement non-trapping float to int conversions.
 // let $26 = instance("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x0a\x1b\x01\x19\x00\x00\xfc\x80\x00\x00\xfc\x81\x80\x00\x00\xfc\x86\x80\x80\x00\x00\xfc\x87\x80\x80\x80\x00\x00\x0b");
 

trunk/JSTests/wasm/spec-tests/binary.wast.js

@@ -99 +99 @@
 
 // binary.wast:48
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x0c\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x0c\x00");
 
 // binary.wast:49
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x7f\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x7f\x00");
 
 // binary.wast:50
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x80\x00\x01\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x80\x00\x01\x00");
 
 // binary.wast:51
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x81\x00\x01\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x81\x00\x01\x00");
 
 // binary.wast:52
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\xff\x00\x01\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\xff\x00\x01\x00");
 
 // binary.wast:56
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\xe0\x7f\x00\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x05\x01\xe0\x7f\x00\x00");
 
 // binary.wast:70
@@ -147 +135 @@
 
 // binary.wast:183
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0a\x01\x08\x00\x41\x00\x40\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0a\x01\x08\x00\x41\x00\x40\x80\x00\x1a\x0b");
 
 // binary.wast:203
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0b\x01\x09\x00\x41\x00\x40\x80\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0b\x01\x09\x00\x41\x00\x40\x80\x80\x00\x1a\x0b");
 
 // binary.wast:222
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0c\x01\x0a\x00\x41\x00\x40\x80\x80\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0c\x01\x0a\x00\x41\x00\x40\x80\x80\x80\x00\x1a\x0b");
 
 // binary.wast:241
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0d\x01\x0b\x00\x41\x00\x40\x80\x80\x80\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0d\x01\x0b\x00\x41\x00\x40\x80\x80\x80\x80\x00\x1a\x0b");
 
 // binary.wast:261
@@ -170 +150 @@
 
 // binary.wast:280
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x08\x01\x06\x00\x3f\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x08\x01\x06\x00\x3f\x80\x00\x1a\x0b");
 
 // binary.wast:299
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x09\x01\x07\x00\x3f\x80\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x09\x01\x07\x00\x3f\x80\x80\x00\x1a\x0b");
 
 // binary.wast:317
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0a\x01\x08\x00\x3f\x80\x80\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0a\x01\x08\x00\x3f\x80\x80\x80\x00\x1a\x0b");
 
 // binary.wast:335
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0b\x01\x09\x00\x3f\x80\x80\x80\x80\x00\x1a\x0b");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x00\x0a\x0b\x01\x09\x00\x3f\x80\x80\x80\x80\x00\x1a\x0b");
 
 // binary.wast:354
@@ -226 +198 @@
 
 // binary.wast:475
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x04\x01\x00\x00\x04");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x04\x01\x00\x00\x04");
 
 // binary.wast:485
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x05\x01\x00\x00\x04\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x05\x01\x00\x00\x04\x00");
 
 // binary.wast:496
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x04\x01\x00\x00\x05");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x04\x01\x00\x00\x05");
 
 // binary.wast:506
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x05\x01\x00\x00\x05\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x05\x01\x00\x00\x05\x00");
 
 // binary.wast:517
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x04\x01\x00\x00\x80");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x04\x01\x00\x00\x80");
 
 // binary.wast:527
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x05\x01\x00\x00\x80\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x02\x05\x01\x00\x00\x80\x00");
 
 // binary.wast:540
@@ -268 +228 @@
 
 // binary.wast:600
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x03\x01\x70\x02");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x03\x01\x70\x02");
 
 // binary.wast:609
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x04\x01\x70\x02\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x04\x01\x70\x02\x00");
 
 // binary.wast:619
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x06\x01\x70\x81\x00\x00\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x06\x01\x70\x81\x00\x00\x00");
 
 // binary.wast:631
@@ -289 +243 @@
 
 // binary.wast:647
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x02\x01\x02");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x02\x01\x02");
 
 // binary.wast:655
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x03\x01\x02\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x03\x01\x02\x00");
 
 // binary.wast:664
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x05\x01\x81\x00\x00\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x05\x01\x81\x00\x00\x00");
 
 // binary.wast:673
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x05\x01\x81\x01\x00\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x05\x05\x01\x81\x01\x00\x00");
 
 // binary.wast:684
@@ -330 +276 @@
 
 // binary.wast:779
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x04\x04\x01\x70\x00\x01\x09\x07\x02\x00\x41\x00\x0b\x01\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x04\x04\x01\x70\x00\x01\x09\x07\x02\x00\x41\x00\x0b\x01\x00");
 
 // binary.wast:795
-// FIXME: Improve wasm binary test coverage.
-// https://bugs.webkit.org/show_bug.cgi?id=204843
-// assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x04\x04\x01\x70\x00\x01\x09\x07\x02\x00\x41\x00\x0b\x01\x00\x00\x41\x00");
+assert_malformed("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x04\x04\x01\x70\x00\x01\x09\x07\x02\x00\x41\x00\x0b\x01\x00\x00\x41\x00");
 
 // binary.wast:812

trunk/JSTests/wasm/wasm.json

@@ -98 +98 @@
         "f32.store":           { "category": "memory",     "value":  56, "return": [],                               "parameter": ["addr", "f32"],                "immediate": [{"name": "flags",          "type": "varuint32"}, {"name": "offset",   "type": "varuint32"}], "description": "store to memory" },
         "f64.store":           { "category": "memory",     "value":  57, "return": [],                               "parameter": ["addr", "f64"],                "immediate": [{"name": "flags",          "type": "varuint32"}, {"name": "offset",   "type": "varuint32"}], "description": "store to memory" },
-        "current_memory":      { "category": "operation",  "value":  63, "return": ["size"],                         "parameter": [],                             "immediate": [{"name": "flags",          "type": "varuint32"}],                                            "description": "query the size of memory" },
-        "grow_memory":         { "category": "operation",  "value":  64, "return": ["size"],                         "parameter": ["size"],                       "immediate": [{"name": "flags",          "type": "varuint32"}],                                            "description": "grow the size of memory" },
+        "current_memory":      { "category": "operation",  "value":  63, "return": ["size"],                         "parameter": [],                             "immediate": [{"name": "flags",          "type": "uint8"}],                                            "description": "query the size of memory" },
+        "grow_memory":         { "category": "operation",  "value":  64, "return": ["size"],                         "parameter": ["size"],                       "immediate": [{"name": "flags",          "type": "uint8"}],                                            "description": "grow the size of memory" },
         "i32.add":             { "category": "arithmetic", "value": 106, "return": ["i32"],                          "parameter": ["i32", "i32"],                 "immediate": [], "b3op": "Add"          },
         "i32.sub":             { "category": "arithmetic", "value": 107, "return": ["i32"],                          "parameter": ["i32", "i32"],                 "immediate": [], "b3op": "Sub"          },

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-11-17  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Improve Wasm binary test coverage
+        https://bugs.webkit.org/show_bug.cgi?id=204843
+
+        Reviewed by Darin Adler.
+
+        This patch fixes some of bugs in wasm parser so that we validate malformed wasm modules more strictly.
+
+        1. current_memory / grow_memory should have uint8 flag, not varuint32 flag.
+        2. global section should have uint8 mutability information, not varuint32.
+        3. memory section should have varuint32 memory count.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseResizableLimits):
+        (JSC::Wasm::SectionParser::parseMemory):
+        (JSC::Wasm::SectionParser::parseGlobalType):
+        * wasm/wasm.json:
+
 2020-11-18  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -839 +839 @@
 
         uint8_t reserved;
-        WASM_PARSER_FAIL_IF(!parseVarUInt1(reserved), "can't parse reserved varUint1 for grow_memory");
-        WASM_PARSER_FAIL_IF(reserved != 0, "reserved varUint1 for grow_memory must be zero");
+        WASM_PARSER_FAIL_IF(!parseUInt8(reserved), "can't parse reserved byte for grow_memory");
+        WASM_PARSER_FAIL_IF(reserved != 0, "reserved byte for grow_memory must be zero");
 
         TypedExpression delta;
@@ -857 +857 @@
 
         uint8_t reserved;
-        WASM_PARSER_FAIL_IF(!parseVarUInt1(reserved), "can't parse reserved varUint1 for current_memory");
-        WASM_PARSER_FAIL_IF(reserved != 0, "reserved varUint1 for current_memory must be zero");
+        WASM_PARSER_FAIL_IF(!parseUInt8(reserved), "can't parse reserved byte for current_memory");
+        WASM_PARSER_FAIL_IF(reserved != 0, "reserved byte for current_memory must be zero");
 
         ExpressionType result;
@@ -1008 +1008 @@
     case CurrentMemory: {
         uint8_t reserved;
-        WASM_PARSER_FAIL_IF(!parseVarUInt1(reserved), "can't parse reserved varUint1 for grow_memory/current_memory");
+        WASM_PARSER_FAIL_IF(!parseUInt8(reserved), "can't parse reserved byte for grow_memory/current_memory");
+        WASM_PARSER_FAIL_IF(reserved != 0, "reserved byte for grow_memory/current_memory must be zero");
         return { };
     }

trunk/Source/JavaScriptCore/wasm/WasmSectionParser.cpp

@@ -35 +35 @@
 #include "WasmOps.h"
 #include "WasmSignatureInlines.h"
+#include <wtf/HexNumber.h>
 #include <wtf/Optional.h>
 
@@ -182 +183 @@
 
     uint8_t flags;
-    WASM_PARSER_FAIL_IF(!parseVarUInt1(flags), "can't parse resizable limits flags");
+    WASM_PARSER_FAIL_IF(!parseUInt8(flags), "can't parse resizable limits flags");
+    WASM_PARSER_FAIL_IF(flags != 0x0 && flags != 0x1, "resizable limits flag should be 0x00 or 0x01 but 0x", hex(flags, 2, Lowercase));
     WASM_PARSER_FAIL_IF(!parseVarUInt32(initial), "can't parse resizable limits initial page count");
 
@@ -264 +266 @@
 auto SectionParser::parseMemory() -> PartialResult
 {
-    uint8_t count;
-    WASM_PARSER_FAIL_IF(!parseVarUInt1(count), "can't parse Memory section's count");
+    uint32_t count;
+    WASM_PARSER_FAIL_IF(!parseVarUInt32(count), "can't parse Memory section's count");
 
     if (!count)
@@ -507 +509 @@
     uint8_t mutability;
     WASM_PARSER_FAIL_IF(!parseValueType(global.type), "can't get Global's value type");
-    WASM_PARSER_FAIL_IF(!parseVarUInt1(mutability), "can't get Global type's mutability");
+    WASM_PARSER_FAIL_IF(!parseUInt8(mutability), "can't get Global type's mutability");
+    WASM_PARSER_FAIL_IF(mutability != 0x0 && mutability != 0x1, "invalid Global's mutability: 0x", hex(mutability, 2, Lowercase));
     global.mutability = static_cast<GlobalInformation::Mutability>(mutability);
     return { };

trunk/Source/JavaScriptCore/wasm/wasm.json

@@ -98 +98 @@
         "f32.store":           { "category": "memory",     "value":  56, "return": [],                               "parameter": ["addr", "f32"],                "immediate": [{"name": "flags",          "type": "varuint32"}, {"name": "offset",   "type": "varuint32"}], "description": "store to memory" },
         "f64.store":           { "category": "memory",     "value":  57, "return": [],                               "parameter": ["addr", "f64"],                "immediate": [{"name": "flags",          "type": "varuint32"}, {"name": "offset",   "type": "varuint32"}], "description": "store to memory" },
-        "current_memory":      { "category": "operation",  "value":  63, "return": ["size"],                         "parameter": [],                             "immediate": [{"name": "flags",          "type": "varuint32"}],                                            "description": "query the size of memory" },
-        "grow_memory":         { "category": "operation",  "value":  64, "return": ["size"],                         "parameter": ["size"],                       "immediate": [{"name": "flags",          "type": "varuint32"}],                                            "description": "grow the size of memory" },
+        "current_memory":      { "category": "operation",  "value":  63, "return": ["size"],                         "parameter": [],                             "immediate": [{"name": "flags",          "type": "uint8"}],                                            "description": "query the size of memory" },
+        "grow_memory":         { "category": "operation",  "value":  64, "return": ["size"],                         "parameter": ["size"],                       "immediate": [{"name": "flags",          "type": "uint8"}],                                            "description": "grow the size of memory" },
         "i32.add":             { "category": "arithmetic", "value": 106, "return": ["i32"],                          "parameter": ["i32", "i32"],                 "immediate": [], "b3op": "Add"          },
         "i32.sub":             { "category": "arithmetic", "value": 107, "return": ["i32"],                          "parameter": ["i32", "i32"],                 "immediate": [], "b3op": "Sub"          },

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-11-17  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Improve Wasm binary test coverage
+        https://bugs.webkit.org/show_bug.cgi?id=204843
+
+        Reviewed by Darin Adler.
+
+        LEBDecoder should have more strict validation. One thing is that, we should reject pattern that includes ignored bits.
+        For example, in uint32_t, we can represent UINT32_MAX in 5 bytes like this.
+
+            0xff, 0xff, 0xff, 0xff, 0x0f
+            0b1111111_1111111_1111111_1111111_1111
+
+        Leading bytes has 0x80 trailing marker. And they includes each 7 bit slice. And the last byte includes 0b1111 part.
+        But we can also make it in the following form
+
+            0xff, 0xff, 0xff, 0xff, 0xff
+            0b1111111_1111111_1111111_1111111_1111
+
+        In the above case, the last byte's upper 4 bits are ignored in the result, and this is wrong in LEB128 encoding.
+        We should reject this input since the last byte includes overflown bits.
+        This patch adds this validation to WTF.
+
+        * wtf/LEBDecoder.h:
+        (WTF::LEBDecoder::maxByteLength):
+        (WTF::LEBDecoder::lastByteMask):
+        (WTF::LEBDecoder::decodeUInt):
+        (WTF::LEBDecoder::decodeInt):
+
 2020-11-18  Darin Adler  <darin@apple.com>
 

trunk/Source/WTF/wtf/HexNumber.cpp

@@ -20 +20 @@
 #include "config.h"
 #include "HexNumber.h"
+
+#include <wtf/PrintStream.h>
+#include <wtf/text/StringView.h>
 
 namespace WTF {
@@ -44 +47 @@
 }
 
+void printInternal(PrintStream& out, HexNumberBuffer buffer)
+{
+    out.print(StringView(buffer.characters(), buffer.length));
+}
+
 } // namespace WTF

trunk/Source/WTF/wtf/HexNumber.h

@@ -89 +89 @@
 };
 
+class PrintStream;
+WTF_EXPORT_PRIVATE void printInternal(PrintStream&, HexNumberBuffer);
+
 } // namespace WTF
 

trunk/Source/WTF/wtf/LEBDecoder.h

@@ -39 +39 @@
 constexpr size_t maxByteLength()
 {
-    const size_t numBits = sizeof(T) * CHAR_BIT;
+    constexpr size_t numBits = sizeof(T) * CHAR_BIT;
     return (numBits - 1) / 7 + 1; // numBits / 7 rounding up.
+}
+
+template<typename T>
+constexpr unsigned lastByteMask()
+{
+    constexpr size_t numBits = sizeof(T) * CHAR_BIT;
+    static_assert(numBits % 7);
+    return ~((1U << (numBits % 7)) - 1);
 }
 
@@ -46 +54 @@
 inline bool WARN_UNUSED_RETURN decodeUInt(const uint8_t* bytes, size_t length, size_t& offset, T& result)
 {
+    static_assert(std::is_unsigned_v<T>);
     if (length <= offset)
         return false;
@@ -56 +65 @@
         shift += 7;
         if (!(byte & 0x80))
-            return true;
+            return !(((maxByteLength<T>() - 1) == i && (byte & lastByteMask<T>())));
         if (i == last)
             return false;
@@ -67 +76 @@
 inline bool WARN_UNUSED_RETURN decodeInt(const uint8_t* bytes, size_t length, size_t& offset, T& result)
 {
+    static_assert(std::is_signed_v<T>);
     if (length <= offset)
         return false;
+    using UnsignedT = typename std::make_unsigned<T>::type;
     result = 0;
     unsigned shift = 0;
@@ -75 +86 @@
     for (unsigned i = 0; true; ++i) {
         byte = bytes[offset++];
-        result |= static_cast<T>(byte & 0x7f) << shift;
+        result |= static_cast<T>(static_cast<UnsignedT>(byte & 0x7f) << shift);
         shift += 7;
-        if (!(byte & 0x80))
+        if (!(byte & 0x80)) {
+            if ((maxByteLength<T>() - 1) == i) {
+                if (!(byte & 0x40)) {
+                    // This is a non-sign-extended, positive number. Then, the remaining bits should be (lastByteMask<T>() >> 1).
+                    // For example, in the int32_t case, the last byte should be less than 0b00000111, since 7 * 4 + 3 = 31.
+                    if (byte & (lastByteMask<T>() >> 1))
+                        return false;
+                } else {
+                    // This is sign-extended, negative number. Then, zero should not exists in (lastByteMask<T>() >> 1) bits except for the top bit.
+                    // For example, in the int32_t case, the last byte should be 0b01111XXX and 1 part must be 1. Since we already checked 0x40 is 1,
+                    // middle [3,5] bits must be zero (e.g. 0b01000111 is invalid). We convert 0b01111XXX =(| 0x80)=> 0b11111XXX =(~)=> 0b00000YYY.
+                    // And check that we do not have 1 in upper 5 bits.
+                    if (static_cast<uint8_t>(~(byte | 0x80)) & (lastByteMask<T>() >> 1))
+                        return false;
+                }
+            }
             break;
+        }
         if (i == last)
             return false;
     }
 
-    using UnsignedT = typename std::make_unsigned<T>::type;
     const size_t numBits = sizeof(T) * CHAR_BIT;
     if (shift < numBits && (byte & 0x40))

trunk/Tools/ChangeLog

@@ +1 @@
+2020-11-17  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Improve Wasm binary test coverage
+        https://bugs.webkit.org/show_bug.cgi?id=204843
+
+        Reviewed by Darin Adler.
+
+        We add more tests for LEBDecoder. In particular, the added tests focus on the case which overflow bits.
+
+        * TestWebKitAPI/Tests/WTF/LEBDecoder.cpp:
+        (TestWebKitAPI::toString):
+        (TestWebKitAPI::testUInt32LEBDecode):
+        (TestWebKitAPI::TEST):
+        (TestWebKitAPI::testUInt64LEBDecode):
+        (TestWebKitAPI::testInt32LEBDecode):
+        (TestWebKitAPI::testInt64LEBDecode):
+
 2020-11-18  Aakash Jain  <aakash_jain@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WTF/LEBDecoder.cpp

@@ -26 +26 @@
 #include "config.h"
 
+#include <string>
 #include <wtf/LEBDecoder.h>
 #include <wtf/Vector.h>
@@ -31 +32 @@
 namespace TestWebKitAPI {
 
+static std::string toString(const Vector<uint8_t>& vector)
+{
+    std::stringstream out;
+    out << std::hex;
+    out << "{ ";
+    for (uint8_t v : vector)
+        out << "0x" << std::setfill('0') << std::setw(2) << static_cast<unsigned>(v) << ", ";
+    out << "}";
+    return out.str();
+}
+
 static void testUInt32LEBDecode(std::initializer_list<uint8_t> data, size_t startOffset, bool expectedStatus, uint32_t expectedResult, size_t expectedOffset)
 {
     Vector<uint8_t> vector(data);
+    auto string = toString(vector);
     uint32_t result;
     bool status = WTF::LEBDecoder::decodeUInt32(vector.data(), vector.size(), startOffset, result);
-    EXPECT_EQ(expectedStatus, status);
-    if (expectedStatus) {
-        EXPECT_EQ(expectedResult, result);
-        EXPECT_EQ(expectedOffset, startOffset);
+    EXPECT_EQ(expectedStatus, status) << string;
+    if (expectedStatus) {
+        EXPECT_EQ(expectedResult, result) << string;
+        EXPECT_EQ(expectedOffset, startOffset) << string;
     }
 }
@@ -52 +65 @@
     testUInt32LEBDecode({ 0xf3, 0x85, 0x02 }, 0, true, 0x82f3lu, 3lu);
     testUInt32LEBDecode({ 0xf3, 0x85, 0xff, 0x74 }, 0, true, 0xe9fc2f3lu, 4lu);
-    testUInt32LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x7f }, 0, true, 0xfe9fc2f3lu, 5lu);
+    testUInt32LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x0f }, 0, true, 0xfe9fc2f3lu, 5lu);
+    testUInt32LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0x0f }, 0, true, 0xfffffffflu, 5lu);
     // Test with extra trailing numbers
     testUInt32LEBDecode({ 0x07, 0x80 }, 0, true, 0x7lu, 1lu);
@@ -76 +90 @@
     // Test decode off end of array
     testUInt32LEBDecode({ 0x80, 0x80, 0xab, 0x8a, 0x9a, 0xa3, 0xff }, 2, false, 0x0lu, 0lu);
+    // Test decode overflow
+    testUInt32LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x1f }, 0, false, 0x0lu, 0lu);
+    testUInt32LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0x10 }, 0, false, 0x0lu, 0lu);
 }
 
@@ -81 +98 @@
 {
     Vector<uint8_t> vector(data);
+    auto string = toString(vector);
     uint64_t result;
     bool status = WTF::LEBDecoder::decodeUInt64(vector.data(), vector.size(), startOffset, result);
-    EXPECT_EQ(expectedStatus, status);
-    if (expectedStatus) {
-        EXPECT_EQ(expectedResult, result);
-        EXPECT_EQ(expectedOffset, startOffset);
+    EXPECT_EQ(expectedStatus, status) << string;
+    if (expectedStatus) {
+        EXPECT_EQ(expectedResult, result) << string;
+        EXPECT_EQ(expectedOffset, startOffset) << string;
     }
 }
@@ -105 +123 @@
     testUInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0xff, 0xcb, 0xba, 0x8f, 0x69 }, 0, true, 0x691eea5ffe9fc2f3lu, 9lu);
     testUInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0xff, 0xcb, 0xba, 0x8f, 0xe9, 0x01 }, 0, true, 0xe91eea5ffe9fc2f3lu, 10lu);
-    testUInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0xff, 0xcb, 0xba, 0x8f, 0xe9, 0x70 }, 0, true, 0x691eea5ffe9fc2f3lu, 10lu);
+    testUInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0xff, 0xcb, 0xba, 0x8f, 0xe9, 0x00 }, 0, true, 0x691eea5ffe9fc2f3lu, 10lu);
+    testUInt64LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01 }, 0, true, 0xfffffffffffffffflu, 10lu);
     // Test with extra trailing numbers
     testUInt64LEBDecode({ 0x07, 0x80 }, 0, true, 0x7lu, 1lu);
@@ -136 +155 @@
     testUInt64LEBDecode({ 0x80, 0x80, 0xab, 0x8a, 0x9a, 0xa3, 0xff }, 2, false, 0x0lu, 0lu);
     testUInt64LEBDecode({ 0x92, 0xf3, 0x85, 0xff, 0xf4, 0xff, 0xcb, 0xba, 0x8f }, 1, false, 0x0lu, 0lu);
+    // Test decode overflow
+    testUInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0xff, 0xcb, 0xba, 0x8f, 0xe9, 0x02 }, 0, false, 0x0lu, 0lu);
 }
 
@@ -141 +162 @@
 {
     Vector<uint8_t> vector(data);
+    auto string = toString(vector);
     int32_t result;
     bool status = WTF::LEBDecoder::decodeInt32(vector.data(), vector.size(), startOffset, result);
-    EXPECT_EQ(expectedStatus, status);
-    if (expectedStatus) {
-        EXPECT_EQ(expectedResult, result);
-        EXPECT_EQ(expectedOffset, startOffset);
+    EXPECT_EQ(expectedStatus, status) << string;
+    if (expectedStatus) {
+        EXPECT_EQ(expectedResult, result) << string;
+        EXPECT_EQ(expectedOffset, startOffset) << string;
     }
 }
@@ -160 +182 @@
     testInt32LEBDecode({ 0xf3, 0x85, 0xff, 0x74 }, 0, true, 0xfe9fc2f3, 4lu);
     testInt32LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x7f }, 0, true, 0xfe9fc2f3, 5lu);
+    testInt32LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0x07 }, 0, true, INT32_MAX, 5lu);
+    testInt32LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0x7f }, 0, true, -1, 5lu);
+    testInt32LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0x7b }, 0, true, -1073741825, 5lu);
     // Test with extra trailing numbers
     testInt32LEBDecode({ 0x07, 0x80 }, 0, true, 0x7, 1lu);
@@ -183 +208 @@
     // Test decode off end of array
     testInt32LEBDecode({ 0x80, 0x80, 0xab, 0x8a, 0x9a, 0xa3, 0xff }, 2, false, 0x0, 0lu);
+    // Test decode overflow
+    testInt32LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0x08 }, 0, false, 0, 0lu);
+    testInt32LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0x77 }, 0, false, 0, 0lu);
 }
 
@@ -188 +216 @@
 {
     Vector<uint8_t> vector(data);
+    auto string = toString(vector);
     int64_t result;
     bool status = WTF::LEBDecoder::decodeInt64(vector.data(), vector.size(), startOffset, result);
-    EXPECT_EQ(expectedStatus, status);
-    if (expectedStatus) {
-        EXPECT_EQ(expectedResult, result);
-        EXPECT_EQ(expectedOffset, startOffset);
+    EXPECT_EQ(expectedStatus, status) << string;
+    if (expectedStatus) {
+        EXPECT_EQ(expectedResult, result) << string;
+        EXPECT_EQ(expectedOffset, startOffset) << string;
     }
 }
@@ -211 +240 @@
     testInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x8f, 0x9a, 0x80, 0x2a }, 0, true, 0x5400d0fe9fc2f3, 8lu);
     testInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x8f, 0x9a, 0x80, 0xaa, 0x41 }, 0, true, 0xc15400d0fe9fc2f3, 9lu);
-    testInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x8f, 0x9a, 0x80, 0xaa, 0xc1, 0x01 }, 0, true, 0xc15400d0fe9fc2f3, 10lu);
-    testInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x8f, 0x9a, 0x80, 0xaa, 0xc1, 0x62 }, 0, true, 0x415400d0fe9fc2f3, 10lu);
+    testInt64LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, }, 0, true, INT64_MAX >> 1, 9lu);
+    testInt64LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, }, 0, true, -1, 9lu);
+    testInt64LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00 }, 0, true, INT64_MAX, 10lu);
+    testInt64LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, 0, true, -1, 10lu);
+    testInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x8f, 0x9a, 0x80, 0xaa, 0xc1, 0x7f }, 0, true, 0xc15400d0fe9fc2f3, 10lu);
+    testInt64LEBDecode({ 0xf3, 0x85, 0xff, 0xf4, 0x8f, 0x9a, 0x80, 0xaa, 0xc1, 0x00 }, 0, true, 0x415400d0fe9fc2f3, 10lu);
     // Test with extra trailing numbers
     testInt64LEBDecode({ 0x07, 0x80 }, 0, true, 0x7, 1lu);
@@ -234 +267 @@
     testInt64LEBDecode({ 0x80, 0x80, 0xab, 0x8a, 0x9a, 0xa3, 0xff }, 1, false, 0x0, 0lu);
     testInt64LEBDecode({ 0x80, 0x80, 0xab, 0x8a, 0x9a, 0xa3, 0xff }, 0, false, 0x0, 0lu);
+    testInt64LEBDecode({ 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x00 }, 0, false, 0lu, 0lu);
     // Test decode off end of array
     testInt64LEBDecode({ 0x80, 0x80, 0xab, 0x8a, 0x9a, 0xa3, 0xff }, 2, false, 0x0, 0lu);
+    // Test decode overflow
+    testInt64LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01 }, 0, false, 0, 0lu);
+    testInt64LEBDecode({ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7e }, 0, false, 0, 0lu);
 }