Bug 1668375 - wasm: Decode ref.null in element segments as heap type. r=lth

Because we special case the decoding code for element segments, the change to use heap types for ref.null wasn't propagated from OpIter. We should decode as a heap type here. Differential Revision: https://phabricator.services.mozilla.com/D91997
2020-10-05 15:47:37 +00:00 · 2020-10-05 15:47:37 +00:00 · 0cdf64bae1
--- a/js/src/jit-test/lib/wasm-binary.js
+++ b/js/src/jit-test/lib/wasm-binary.js
@ -374,6 +374,20 @@ function dataCountSection(count) {
    return { name: dataCountId, body };
 }

+function globalSection(globalArray) {
+    var body = [];
+    body.push(...varU32(globalArray.length));
+    for (let globalObj of globalArray) {
+        // Value type
+        body.push(...varU32(globalObj.valType));
+        // Flags
+        body.push(globalObj.flags & 255);
+        // Initializer expression
+        body.push(...globalObj.initExpr);
+    }
+    return { name: globalId, body };
+}
+
 function elemSection(elemArrays) {
    var body = [];
    body.push(...varU32(elemArrays.length));
--- a/js/src/jit-test/tests/wasm/function-references/binary.js
+++ b/js/src/jit-test/tests/wasm/function-references/binary.js
@ -0,0 +1,52 @@
+// |jit-test| skip-if: !wasmFunctionReferencesEnabled()
+
+load(libdir + "wasm-binary.js");
+
+const v2vSig = {args:[], ret:VoidCode};
+const v2vSigSection = sigSection([v2vSig]);
+
+function checkInvalid(binary, errorMessage) {
+    assertErrorMessage(() => new WebAssembly.Module(binary),
+        WebAssembly.CompileError,
+        errorMessage);
+}
+
+// The immediate of ref.null is a heap type, not a general reference type
+
+const invalidRefNullHeapBody = moduleWithSections([
+    v2vSigSection,
+    declSection([0]),
+    bodySection([
+        funcBody({locals:[], body:[
+            RefNullCode,
+            OptRefCode,
+            AnyFuncCode,
+            DropCode,
+        ]})
+    ])
+]);
+checkInvalid(invalidRefNullHeapBody, /invalid heap type/);
+
+const invalidRefNullHeapElem = moduleWithSections([
+    generalElemSection([
+        {
+            flag: PassiveElemExpr,
+            typeCode: AnyFuncCode,
+            elems: [
+                [RefNullCode, OptRefCode, AnyFuncCode, EndCode]
+            ]
+        }
+    ])
+]);
+checkInvalid(invalidRefNullHeapElem, /invalid heap type/);
+
+const invalidRefNullHeapGlobal = moduleWithSections([
+    globalSection([
+        {
+            valType: AnyFuncCode,
+            flag: 0,
+            initExpr: [RefNullCode, OptRefCode, AnyFuncCode, EndCode]
+        }
+    ])
+]);
+checkInvalid(invalidRefNullHeapGlobal, /invalid heap type/);
--- a/js/src/wasm/WasmValidate.cpp
+++ b/js/src/wasm/WasmValidate.cpp
@ -2770,7 +2770,7 @@ static bool DecodeElemSection(Decoder& d, ModuleEnvironment* env) {
            initType = RefType::func();
            break;
          case uint16_t(Op::RefNull):
-            if (!d.readRefType(env->types, env->features, &initType)) {
+            if (!d.readHeapType(env->types, env->features, true, &initType)) {
              return false;
            }
            needIndex = false;