From 55b6c36e33622a53ecad2cd598807097f3590ef0 Mon Sep 17 00:00:00 2001 From: Benjamin Bouvier Date: Thu, 5 Jul 2018 13:23:18 +0200 Subject: [PATCH] Bug 1472633: Check that ref types exist when used as inline block types; r=jseward --HG-- extra : rebase_source : 4769b66af2da20095dcd687edeae534b8774e7a6 --- js/src/jit-test/tests/wasm/gc/binary.js | 25 ++++++++++++++++++++++--- js/src/wasm/WasmOpIter.h | 4 +++- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/js/src/jit-test/tests/wasm/gc/binary.js b/js/src/jit-test/tests/wasm/gc/binary.js index 199d9d1c6325..222a8e799a96 100644 --- a/js/src/jit-test/tests/wasm/gc/binary.js +++ b/js/src/jit-test/tests/wasm/gc/binary.js @@ -4,6 +4,13 @@ if (!wasmGcEnabled()) { load(libdir + "wasm-binary.js"); +const v2vSig = {args:[], ret:VoidCode}; +const v2vSigSection = sigSection([v2vSig]); + +function checkInvalid(body, errorMessage) { + assertErrorMessage(() => new WebAssembly.Module(moduleWithSections([v2vSigSection, declSection([0]), bodySection([body])])), WebAssembly.CompileError, errorMessage); +} + const invalidRefNullBody = funcBody({locals:[], body:[ RefNull, RefCode, @@ -20,8 +27,20 @@ const invalidRefNullBody = funcBody({locals:[], body:[ SelectCode, DropCode ]}); +checkInvalid(invalidRefNullBody, /invalid nullref type/); -const v2vSig = {args:[], ret:VoidCode}; -const v2vSigSection = sigSection([v2vSig]); +const invalidRefBlockType = funcBody({locals:[], body:[ + BlockCode, + RefCode, + 0x42, + EndCode, +]}); +checkInvalid(invalidRefBlockType, /invalid inline block type/); -assertErrorMessage(() => new WebAssembly.Module(moduleWithSections([v2vSigSection, declSection([0]), bodySection([invalidRefNullBody])])), WebAssembly.CompileError, /invalid nullref type/); +const invalidTooBigRefType = funcBody({locals:[], body:[ + BlockCode, + RefCode, + varU32(1000000), + EndCode, +]}); +checkInvalid(invalidTooBigRefType, /invalid inline block type/); diff --git a/js/src/wasm/WasmOpIter.h b/js/src/wasm/WasmOpIter.h index 87b5f2c010e5..f5bb7071ba5c 100644 --- a/js/src/wasm/WasmOpIter.h +++ b/js/src/wasm/WasmOpIter.h @@ -1016,7 +1016,9 @@ OpIter::readBlockType(ExprType* type) known = true; break; case uint8_t(ExprType::Ref): - known = env_.gcTypesEnabled == HasGcTypes::True; + known = env_.gcTypesEnabled == HasGcTypes::True && + uncheckedRefTypeIndex < MaxTypes && + uncheckedRefTypeIndex < env_.types.length(); break; case uint8_t(ExprType::AnyRef): known = env_.gcTypesEnabled == HasGcTypes::True;