<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[209874] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/209874">209874</a></dd>
<dt>Author</dt> <dd>jfbastien@apple.com</dd>
<dt>Date</dt> <dd>2016-12-15 14:08:38 -0800 (Thu, 15 Dec 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>JSTests:
WebAssembly API: improve data section errors
https://bugs.webkit.org/show_bug.cgi?id=165733
Reviewed by Keith Miller.
* wasm/js-api/element-data.js: Added.
(ElementBeforeData.set const):
(ElementBeforeData): check the order of initialization, which is observable on failure
* wasm/js-api/test_Data.js:
(DataSectionWithoutMemory):
(DataSectionOffTheEnd): Deleted.
(DataSectionPartlyOffTheEnd): Deleted.
(DataSectionEmptyOffTheEnd): Deleted.
(DataSectionSeenByStart): Deleted.
Source/JavaScriptCore:
WebAssembly API: improve data section errors, initialize after Element
https://bugs.webkit.org/show_bug.cgi?id=165733
Reviewed by Keith Miller.
* wasm/WasmModuleParser.cpp:
(JSC::Wasm::ModuleParser::parseData): Data section without Memory section or import is a validation error
* wasm/js/WebAssemblyModuleRecord.cpp:
(JSC::dataSegmentFail):
(JSC::WebAssemblyModuleRecord::evaluate): tighten checks (though the spec isn't fully baked), and move after Element initialization</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkJSTestswasmjsapitest_Datajs">trunk/JSTests/wasm/js-api/test_Data.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmWasmModuleParsercpp">trunk/Source/JavaScriptCore/wasm/WasmModuleParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorewasmjsWebAssemblyModuleRecordcpp">trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestswasmjsapielementdatajs">trunk/JSTests/wasm/js-api/element-data.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (209873 => 209874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/JSTests/ChangeLog 2016-12-15 22:08:38 UTC (rev 209874)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2016-12-15 JF Bastien <jfbastien@apple.com>
+
+ WebAssembly API: improve data section errors
+ https://bugs.webkit.org/show_bug.cgi?id=165733
+
+ Reviewed by Keith Miller.
+
+ * wasm/js-api/element-data.js: Added.
+ (ElementBeforeData.set const):
+ (ElementBeforeData): check the order of initialization, which is observable on failure
+ * wasm/js-api/test_Data.js:
+ (DataSectionWithoutMemory):
+ (DataSectionOffTheEnd): Deleted.
+ (DataSectionPartlyOffTheEnd): Deleted.
+ (DataSectionEmptyOffTheEnd): Deleted.
+ (DataSectionSeenByStart): Deleted.
+
</ins><span class="cx"> 2016-12-15 Keith Miller <keith_miller@apple.com>
</span><span class="cx">
</span><span class="cx"> Fix 64-bit shift family Wasm opcodes
</span></span></pre></div>
<a id="trunkJSTestswasmjsapielementdatajs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/wasm/js-api/element-data.js (0 => 209874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/wasm/js-api/element-data.js (rev 0)
+++ trunk/JSTests/wasm/js-api/element-data.js 2016-12-15 22:08:38 UTC (rev 209874)
</span><span class="lines">@@ -0,0 +1,47 @@
</span><ins>+import Builder from '../Builder.js';
+import * as assert from '../assert.js';
+
+const memSizeInPages = 1;
+const pageSizeInBytes = 64 * 1024;
+const memoryDescription = { initial: memSizeInPages, maximum: memSizeInPages };
+
+(function ElementBeforeData() {
+ const builder = (new Builder())
+ .Type().End()
+ .Import()
+ .Memory("imp", "memory", memoryDescription)
+ .Table("imp", "table", {element: "anyfunc", initial: 19}) // unspecified maximum.
+ .End()
+ .Function().End()
+ .Element()
+ .Element({offset: 19, functionIndices: [0, 0, 0, 0, 0]})
+ .End()
+ .Code()
+ .Function("foo", {params: ["i32"], ret: "i32"})
+ .GetLocal(0)
+ .I32Const(42)
+ .I32Add()
+ .Return()
+ .End()
+ .End()
+ .Data()
+ .Segment([0xde, 0xad, 0xbe, 0xef]).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ const module = new WebAssembly.Module(bin);
+ const memory = new WebAssembly.Memory(memoryDescription);
+ const table = new WebAssembly.Table({element: "anyfunc", initial: 19});
+ const imports = {
+ imp: {
+ memory: memory,
+ table: table,
+ }
+ };
+ assert.throws(() => new WebAssembly.Instance(module, imports), RangeError, `Element is trying to set an out of bounds table index`);
+ // On Element failure, the Data section shouldn't have executed.
+ const buffer = new Uint8Array(memory.buffer);
+ for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
+ const value = buffer[idx];
+ assert.eq(value, 0x00);
+ }
+})();
</ins></span></pre></div>
<a id="trunkJSTestswasmjsapitest_Datajs"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/wasm/js-api/test_Data.js (209873 => 209874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/wasm/js-api/test_Data.js 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/JSTests/wasm/js-api/test_Data.js 2016-12-15 22:08:38 UTC (rev 209874)
</span><span class="lines">@@ -4,9 +4,18 @@
</span><span class="cx"> const memSizeInPages = 1;
</span><span class="cx"> const pageSizeInBytes = 64 * 1024;
</span><span class="cx"> const memoryDescription = { initial: memSizeInPages, maximum: memSizeInPages };
</span><ins>+const emptyMemory = { initial: 0, maximum: 2 };
</ins><span class="cx">
</span><span class="cx"> // FIXME Some corner cases are ill-specified: https://github.com/WebAssembly/design/issues/897
</span><span class="cx">
</span><ins>+const assertMemoryAllZero = memory => {
+ const buffer = new Uint8Array(memory.buffer);
+ for (let idx = 0; idx < buffer.length; ++idx) {
+ const value = buffer[idx];
+ assert.eq(value, 0x00);
+ }
+};
+
</ins><span class="cx"> (function DataSection() {
</span><span class="cx"> const builder = (new Builder())
</span><span class="cx"> .Type().End()
</span><span class="lines">@@ -36,6 +45,40 @@
</span><span class="cx"> }
</span><span class="cx"> })();
</span><span class="cx">
</span><ins>+(function DataSectionWithoutMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Data()
+ .Segment([0xff]).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ assert.throws(() => new WebAssembly.Module(bin), WebAssembly.CompileError, `couldn't parse section Data: Data segments (evaluating 'new WebAssembly.Module(bin)')`);
+})();
+
+(function EmptyDataSectionWithoutMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Data()
+ .Segment([]).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ assert.throws(() => new WebAssembly.Module(bin), WebAssembly.CompileError, `couldn't parse section Data: Data segments (evaluating 'new WebAssembly.Module(bin)')`);
+})();
+
+(function DataSectionBiggerThanMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Import().Memory("imp", "memory", memoryDescription).End()
+ .Data()
+ .Segment(Array(memSizeInPages * pageSizeInBytes + 1).fill(0xff)).Offset(0).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ const module = new WebAssembly.Module(bin);
+ const memory = new WebAssembly.Memory(memoryDescription);
+ assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Invalid data segment initialization: segment of 65537 bytes memory of 65536 bytes, at offset 0, segment is too big`);
+ assertMemoryAllZero(memory);
+})();
+
</ins><span class="cx"> (function DataSectionOffTheEnd() {
</span><span class="cx"> const builder = (new Builder())
</span><span class="cx"> .Type().End()
</span><span class="lines">@@ -46,12 +89,8 @@
</span><span class="cx"> const bin = builder.WebAssembly().get();
</span><span class="cx"> const module = new WebAssembly.Module(bin);
</span><span class="cx"> const memory = new WebAssembly.Memory(memoryDescription);
</span><del>- assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Data segment initializes memory out of range`);
- const buffer = new Uint8Array(memory.buffer);
- for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
- const value = buffer[idx];
- assert.eq(value, 0x00);
- }
</del><ins>+ assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Invalid data segment initialization: segment of 1 bytes memory of 65536 bytes, at offset 65536, segment writes outside of memory`);
+ assertMemoryAllZero(memory);
</ins><span class="cx"> })();
</span><span class="cx">
</span><span class="cx"> (function DataSectionPartlyOffTheEnd() {
</span><span class="lines">@@ -64,12 +103,8 @@
</span><span class="cx"> const bin = builder.WebAssembly().get();
</span><span class="cx"> const module = new WebAssembly.Module(bin);
</span><span class="cx"> const memory = new WebAssembly.Memory(memoryDescription);
</span><del>- assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Data segment initializes memory out of range`);
- const buffer = new Uint8Array(memory.buffer);
- for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
- const value = buffer[idx];
- assert.eq(value, 0x00);
- }
</del><ins>+ assert.throws(() => new WebAssembly.Instance(module, { imp: { memory: memory } }), RangeError, `Invalid data segment initialization: segment of 2 bytes memory of 65536 bytes, at offset 65535, segment writes outside of memory`);
+ assertMemoryAllZero(memory);
</ins><span class="cx"> })();
</span><span class="cx">
</span><span class="cx"> (function DataSectionEmptyOffTheEnd() {
</span><span class="lines">@@ -83,13 +118,23 @@
</span><span class="cx"> const module = new WebAssembly.Module(bin);
</span><span class="cx"> const memory = new WebAssembly.Memory(memoryDescription);
</span><span class="cx"> const instance = new WebAssembly.Instance(module, { imp: { memory: memory } });
</span><del>- const buffer = new Uint8Array(memory.buffer);
- for (let idx = 0; idx < memSizeInPages * pageSizeInBytes; ++idx) {
- const value = buffer[idx];
- assert.eq(value, 0x00);
- }
</del><ins>+ assertMemoryAllZero(memory);
</ins><span class="cx"> })();
</span><span class="cx">
</span><ins>+(function DataSectionEmptyOffTheEndWithEmptyMemory() {
+ const builder = (new Builder())
+ .Type().End()
+ .Import().Memory("imp", "memory", emptyMemory).End()
+ .Data()
+ .Segment([]).Offset(memSizeInPages * pageSizeInBytes).End()
+ .End();
+ const bin = builder.WebAssembly().get();
+ const module = new WebAssembly.Module(bin);
+ const memory = new WebAssembly.Memory(emptyMemory);
+ const instance = new WebAssembly.Instance(module, { imp: { memory: memory } });
+ assertMemoryAllZero(memory);
+})();
+
</ins><span class="cx"> (function DataSectionSeenByStart() {
</span><span class="cx"> const offset = 1024;
</span><span class="cx"> const builder = (new Builder())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (209873 => 209874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-12-15 22:08:38 UTC (rev 209874)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-12-15 JF Bastien <jfbastien@apple.com>
+
+ WebAssembly API: improve data section errors, initialize after Element
+ https://bugs.webkit.org/show_bug.cgi?id=165733
+
+ Reviewed by Keith Miller.
+
+ * wasm/WasmModuleParser.cpp:
+ (JSC::Wasm::ModuleParser::parseData): Data section without Memory section or import is a validation error
+ * wasm/js/WebAssemblyModuleRecord.cpp:
+ (JSC::dataSegmentFail):
+ (JSC::WebAssemblyModuleRecord::evaluate): tighten checks (though the spec isn't fully baked), and move after Element initialization
+
</ins><span class="cx"> 2016-12-15 Keith Miller <keith_miller@apple.com>
</span><span class="cx">
</span><span class="cx"> Turn on WebAssembly by default
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmWasmModuleParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/WasmModuleParser.cpp (209873 => 209874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/WasmModuleParser.cpp 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/Source/JavaScriptCore/wasm/WasmModuleParser.cpp 2016-12-15 22:08:38 UTC (rev 209874)
</span><span class="lines">@@ -724,6 +724,8 @@
</span><span class="cx"> bool ModuleParser::parseData()
</span><span class="cx"> {
</span><span class="cx"> uint32_t segmentCount;
</span><ins>+ if (!m_module->memory)
+ return false;
</ins><span class="cx"> if (!parseVarUInt32(segmentCount)
</span><span class="cx"> || segmentCount == std::numeric_limits<uint32_t>::max()
</span><span class="cx"> || !m_module->data.tryReserveCapacity(segmentCount))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorewasmjsWebAssemblyModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (209873 => 209874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp 2016-12-15 22:08:26 UTC (rev 209873)
+++ trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp 2016-12-15 22:08:38 UTC (rev 209874)
</span><span class="lines">@@ -194,28 +194,17 @@
</span><span class="cx"> m_moduleEnvironment.set(vm, this, moduleEnvironment);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+template <typename Scope, typename N, typename ...Args>
+NEVER_INLINE static JSValue dataSegmentFail(ExecState* state, Scope& scope, N memorySize, N segmentSize, N offset, Args... args)
+{
+ return throwException(state, scope, createRangeError(state, makeString(ASCIILiteral("Invalid data segment initialization: segment of "), String::number(segmentSize), ASCIILiteral(" bytes memory of "), String::number(memorySize), ASCIILiteral(" bytes, at offset "), String::number(offset), args...)));
+}
+
</ins><span class="cx"> JSValue WebAssemblyModuleRecord::evaluate(ExecState* state)
</span><span class="cx"> {
</span><span class="cx"> VM& vm = state->vm();
</span><span class="cx"> auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="cx">
</span><del>- if (JSWebAssemblyMemory* jsMemory = m_instance->memory()) {
- uint8_t* memory = reinterpret_cast<uint8_t*>(jsMemory->memory()->memory());
- auto sizeInBytes = jsMemory->memory()->size();
- if (memory) {
- const Vector<Wasm::Segment::Ptr>& data = m_instance->module()->moduleInformation().data;
- for (auto& segment : data) {
- if (segment->sizeInBytes) {
- if (sizeInBytes < segment->sizeInBytes
- || segment->offset > sizeInBytes
- || segment->offset > sizeInBytes - segment->sizeInBytes)
- return throwException(state, scope, createRangeError(state, ASCIILiteral("Data segment initializes memory out of range")));
- memcpy(memory + segment->offset, &segment->byte(0), segment->sizeInBytes);
- }
- }
- }
- }
-
</del><span class="cx"> {
</span><span class="cx"> JSWebAssemblyModule* module = m_instance->module();
</span><span class="cx"> const Wasm::ModuleInformation& moduleInformation = module->moduleInformation();
</span><span class="lines">@@ -261,6 +250,26 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ {
+ const Vector<Wasm::Segment::Ptr>& data = m_instance->module()->moduleInformation().data;
+ JSWebAssemblyMemory* jsMemory = m_instance->memory();
+ if (!data.isEmpty()) {
+ RELEASE_ASSERT(jsMemory); // It is a validation error for a Data section to exist without a Memory section or import.
+ uint8_t* memory = reinterpret_cast<uint8_t*>(jsMemory->memory()->memory());
+ RELEASE_ASSERT(memory);
+ auto sizeInBytes = jsMemory->memory()->size();
+ for (auto& segment : data) {
+ if (segment->sizeInBytes) {
+ if (UNLIKELY(sizeInBytes < segment->sizeInBytes))
+ return dataSegmentFail(state, scope, sizeInBytes, segment->sizeInBytes, segment->offset, ASCIILiteral(", segment is too big"));
+ if (UNLIKELY(segment->offset > sizeInBytes - segment->sizeInBytes))
+ return dataSegmentFail(state, scope, sizeInBytes, segment->sizeInBytes, segment->offset, ASCIILiteral(", segment writes outside of memory"));
+ memcpy(memory + segment->offset, &segment->byte(0), segment->sizeInBytes);
+ }
+ }
+ }
+ }
+
</ins><span class="cx"> if (WebAssemblyFunction* startFunction = m_startFunction.get()) {
</span><span class="cx"> ProtoCallFrame protoCallFrame;
</span><span class="cx"> protoCallFrame.init(nullptr, startFunction, JSValue(), 1, nullptr);
</span><span class="lines">@@ -267,6 +276,7 @@
</span><span class="cx"> startFunction->call(vm, &protoCallFrame);
</span><span class="cx"> RETURN_IF_EXCEPTION(scope, { });
</span><span class="cx"> }
</span><ins>+
</ins><span class="cx"> return jsUndefined();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>