Merge r220894 - WebAssembly: const in unreachable code decoded incorr…

…ectly, erroneously rejects binary as invalid https://bugs.webkit.org/show_bug.cgi?id=175693 <rdar://problem/33952443> Reviewed by Saam Barati. JSTests: Add a regression directory for WebAssembly tests. * wasm.yaml: * wasm/regress/175693.js: Added. (else.else): (instance.new.WebAssembly.Instance.new.WebAssembly.Module): (catch): * wasm/regress/175693.wasm: Added. Source/JavaScriptCore: 64-bit constants in an unreachable context were being decoded as 32-bit constants. This is pretty benign because unreachable code shouldn't occur often. The effect is that 64-bit constants which can't be encoded as 32-bit constants would cause the binary to be rejected. At the same time, 32-bit integer constants should be decoded as signed. * wasm/WasmFunctionParser.h: (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
WebKit · Aug 18, 2017 · 09e314d · 09e314d
1 parent 1e683b5
commit 09e314d
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 2 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,20 @@
+2017-08-17  JF Bastien  <jfbastien@apple.com>
+
+        WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
+        https://bugs.webkit.org/show_bug.cgi?id=175693
+        <rdar://problem/33952443>
+
+        Reviewed by Saam Barati.
+
+        Add a regression directory for WebAssembly tests.
+
+        * wasm.yaml:
+        * wasm/regress/175693.js: Added.
+        (else.else):
+        (instance.new.WebAssembly.Instance.new.WebAssembly.Module):
+        (catch):
+        * wasm/regress/175693.wasm: Added.
+
 2017-08-09  Caitlin Potter  <caitp@igalia.com>
 
         Early error on ANY operator before new.target

diff --git a/JSTests/wasm.yaml b/JSTests/wasm.yaml
@@ -35,6 +35,8 @@
   cmd: runWebAssembly unless parseRunCommands
 - path: wasm/lowExecutableMemory
   cmd: runWebAssemblyLowExecutableMemory unless parseRunCommands
+- path: wasm/regress/
+  cmd: runWebAssembly unless parseRunCommands
 
 - path: wasm/spec-tests/address.wast.js
   cmd: runWebAssemblySpecTest :normal

diff --git a/JSTests/wasm/regress/175693.js b/JSTests/wasm/regress/175693.js
@@ -0,0 +1,39 @@
+const file = "175693.wasm";
+
+if (typeof console === 'undefined') {
+  console = { log: print };
+}
+var binary;
+if (typeof process === 'object' && typeof require === 'function' /* node.js detection */) {
+  var args = process.argv.slice(2);
+  binary = require('fs').readFileSync(file);
+  if (!binary.buffer) binary = new Uint8Array(binary);
+} else {
+  var args;
+  if (typeof scriptArgs != 'undefined') {
+    args = scriptArgs;
+  } else if (typeof arguments != 'undefined') {
+    args = arguments;
+  }
+  if (typeof readbuffer === 'function') {
+    binary = new Uint8Array(readbuffer(file));
+  } else {
+    binary = read(file, 'binary');
+  }
+}
+var instance = new WebAssembly.Instance(new WebAssembly.Module(binary), {});
+if (instance.exports.hangLimitInitializer) instance.exports.hangLimitInitializer();
+try {
+  console.log('calling: func_0');
+instance.exports.func_0();
+} catch (e) {
+  console.log('   exception: ' + e);
+}
+if (instance.exports.hangLimitInitializer) instance.exports.hangLimitInitializer();
+try {
+  console.log('calling: hangLimitInitializer');
+instance.exports.hangLimitInitializer();
+} catch (e) {
+  console.log('   exception: ' + e);
+}
+console.log('done.')
diff --git a/JSTests/wasm/regress/175693.wasm b/JSTests/wasm/regress/175693.wasm
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,22 @@
+2017-08-17  JF Bastien  <jfbastien@apple.com>
+
+        WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
+        https://bugs.webkit.org/show_bug.cgi?id=175693
+        <rdar://problem/33952443>
+
+        Reviewed by Saam Barati.
+
+        64-bit constants in an unreachable context were being decoded as
+        32-bit constants. This is pretty benign because unreachable code
+        shouldn't occur often. The effect is that 64-bit constants which
+        can't be encoded as 32-bit constants would cause the binary to be
+        rejected.
+
+        At the same time, 32-bit integer constants should be decoded as signed.
+
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+
 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
 
         [WPE][GTK] Ensure proper casting of data in gvariants

diff --git a/Source/JavaScriptCore/wasm/WasmFunctionParser.h b/Source/JavaScriptCore/wasm/WasmFunctionParser.h
@@ -604,8 +604,6 @@ auto FunctionParser<Context>::parseUnreachableExpression() -> PartialResult
     }
 
     // one immediate cases
-    case I32Const:
-    case I64Const:
     case SetLocal:
     case GetLocal:
     case TeeLocal:
@@ -619,6 +617,18 @@ auto FunctionParser<Context>::parseUnreachableExpression() -> PartialResult
         return { };
     }
 
+    case I32Const: {
+        int32_t unused;
+        WASM_PARSER_FAIL_IF(!parseVarInt32(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context");
+        return { };
+    }
+
+    case I64Const: {
+        int64_t unused;
+        WASM_PARSER_FAIL_IF(!parseVarInt64(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context");
+        return { };
+    }
+
     case GrowMemory:
     case CurrentMemory: {
         uint8_t reserved;