Commit 0396b732 authored by Manos Koukoutos's avatar Manos Koukoutos Committed by Commit Bot

[wasm-gc] read_heap_type should check if index is in module bounds

read_heap_type did not have knowledge of the module for which the heap
type was being decoded. As a result, callers of read_heap_type (or
read_value_type, which in turn calls read_heap_type) had to check after
the fact that a decoded indexed type (ref, ref null, or rtt) references
a type index within the module's bounds. This was not done consistently,
and was missing (at least) in DecodeLocals.
To avoid such problems in the future, this CL refactors read_heap_type
to accept a module and check the decoded index against it.

Changes:
- Add WasmModule argument to read_heap_type. Do so accordingly to all
  its transitive callers (read_value_type, immediate arguments,
  DecodeLocalDecls, DecodeValue/HeapType in unittests).
- Add index check to read_heap_type and emit an error for an
  out-of-bounds index.
- Remove all other now-redundant index validations. Replace them with
  decoder->ok() if needed (since read_heap_type will now emit an error).
- Fix error message in Validate for BlockTypeImmediate.
- In DecodeLocalDecls in unittests, pass an empty module to
  DecodeLocalDecls in the main code.
- Add a unit test with an invalid index in local type declarations.

Bug: v8:9495
Change-Id: I4ed1204847db80f78b6ae85fa40d300cd2456295
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2569757Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71572}
parent 2bc979aa
...@@ -195,9 +195,12 @@ V8_INLINE WasmFeature feature_for_heap_type(HeapType heap_type) { ...@@ -195,9 +195,12 @@ V8_INLINE WasmFeature feature_for_heap_type(HeapType heap_type) {
} }
} }
// If {module} is not null, the read index will be checked against the module's
// type capacity.
template <Decoder::ValidateFlag validate> template <Decoder::ValidateFlag validate>
HeapType read_heap_type(Decoder* decoder, const byte* pc, HeapType read_heap_type(Decoder* decoder, const byte* pc,
uint32_t* const length, const WasmFeatures& enabled) { uint32_t* const length, const WasmModule* module,
const WasmFeatures& enabled) {
int64_t heap_index = decoder->read_i33v<validate>(pc, length, "heap type"); int64_t heap_index = decoder->read_i33v<validate>(pc, length, "heap type");
if (heap_index < 0) { if (heap_index < 0) {
int64_t min_1_byte_leb128 = -64; int64_t min_1_byte_leb128 = -64;
...@@ -248,6 +251,12 @@ HeapType read_heap_type(Decoder* decoder, const byte* pc, ...@@ -248,6 +251,12 @@ HeapType read_heap_type(Decoder* decoder, const byte* pc,
type_index, kV8MaxWasmTypes); type_index, kV8MaxWasmTypes);
return HeapType(HeapType::kBottom); return HeapType(HeapType::kBottom);
} }
// We use capacity over size so this works mid-DecodeTypeSection.
if (!VALIDATE(module == nullptr || type_index < module->types.capacity())) {
DecodeError<validate>(decoder, pc, "Type index %u is out of bounds",
type_index);
return HeapType(HeapType::kBottom);
}
return HeapType(type_index); return HeapType(type_index);
} }
} }
...@@ -259,7 +268,8 @@ HeapType read_heap_type(Decoder* decoder, const byte* pc, ...@@ -259,7 +268,8 @@ HeapType read_heap_type(Decoder* decoder, const byte* pc,
// kNoValidate. // kNoValidate.
template <Decoder::ValidateFlag validate> template <Decoder::ValidateFlag validate>
ValueType read_value_type(Decoder* decoder, const byte* pc, ValueType read_value_type(Decoder* decoder, const byte* pc,
uint32_t* const length, const WasmFeatures& enabled) { uint32_t* const length, const WasmModule* module,
const WasmFeatures& enabled) {
*length = 1; *length = 1;
byte val = decoder->read_u8<validate>(pc, "value type opcode"); byte val = decoder->read_u8<validate>(pc, "value type opcode");
if (decoder->failed()) { if (decoder->failed()) {
...@@ -306,7 +316,7 @@ ValueType read_value_type(Decoder* decoder, const byte* pc, ...@@ -306,7 +316,7 @@ ValueType read_value_type(Decoder* decoder, const byte* pc,
return kWasmBottom; return kWasmBottom;
} }
HeapType heap_type = HeapType heap_type =
read_heap_type<validate>(decoder, pc + 1, length, enabled); read_heap_type<validate>(decoder, pc + 1, length, module, enabled);
*length += 1; *length += 1;
return heap_type.is_bottom() ? kWasmBottom return heap_type.is_bottom() ? kWasmBottom
: ValueType::Ref(heap_type, nullability); : ValueType::Ref(heap_type, nullability);
...@@ -329,8 +339,8 @@ ValueType read_value_type(Decoder* decoder, const byte* pc, ...@@ -329,8 +339,8 @@ ValueType read_value_type(Decoder* decoder, const byte* pc,
return kWasmBottom; return kWasmBottom;
} }
uint32_t heap_type_length; uint32_t heap_type_length;
HeapType heap_type = read_heap_type<validate>(decoder, pc + *length, HeapType heap_type = read_heap_type<validate>(
&heap_type_length, enabled); decoder, pc + *length, &heap_type_length, module, enabled);
*length += heap_type_length; *length += heap_type_length;
return heap_type.is_bottom() ? kWasmBottom return heap_type.is_bottom() ? kWasmBottom
: ValueType::Rtt(heap_type, depth); : ValueType::Rtt(heap_type, depth);
...@@ -445,7 +455,7 @@ struct SelectTypeImmediate { ...@@ -445,7 +455,7 @@ struct SelectTypeImmediate {
ValueType type; ValueType type;
inline SelectTypeImmediate(const WasmFeatures& enabled, Decoder* decoder, inline SelectTypeImmediate(const WasmFeatures& enabled, Decoder* decoder,
const byte* pc) { const byte* pc, const WasmModule* module) {
uint8_t num_types = uint8_t num_types =
decoder->read_u32v<validate>(pc, &length, "number of select types"); decoder->read_u32v<validate>(pc, &length, "number of select types");
if (!VALIDATE(num_types == 1)) { if (!VALIDATE(num_types == 1)) {
...@@ -455,8 +465,8 @@ struct SelectTypeImmediate { ...@@ -455,8 +465,8 @@ struct SelectTypeImmediate {
return; return;
} }
uint32_t type_length; uint32_t type_length;
type = value_type_reader::read_value_type<validate>(decoder, pc + length, type = value_type_reader::read_value_type<validate>(
&type_length, enabled); decoder, pc + length, &type_length, module, enabled);
length += type_length; length += type_length;
} }
}; };
...@@ -469,7 +479,7 @@ struct BlockTypeImmediate { ...@@ -469,7 +479,7 @@ struct BlockTypeImmediate {
const FunctionSig* sig = nullptr; const FunctionSig* sig = nullptr;
inline BlockTypeImmediate(const WasmFeatures& enabled, Decoder* decoder, inline BlockTypeImmediate(const WasmFeatures& enabled, Decoder* decoder,
const byte* pc) { const byte* pc, const WasmModule* module) {
int64_t block_type = int64_t block_type =
decoder->read_i33v<validate>(pc, &length, "block type"); decoder->read_i33v<validate>(pc, &length, "block type");
if (block_type < 0) { if (block_type < 0) {
...@@ -483,7 +493,7 @@ struct BlockTypeImmediate { ...@@ -483,7 +493,7 @@ struct BlockTypeImmediate {
} }
if (static_cast<ValueTypeCode>(block_type & 0x7F) == kVoidCode) return; if (static_cast<ValueTypeCode>(block_type & 0x7F) == kVoidCode) return;
type = value_type_reader::read_value_type<validate>(decoder, pc, &length, type = value_type_reader::read_value_type<validate>(decoder, pc, &length,
enabled); module, enabled);
} else { } else {
if (!VALIDATE(enabled.has_mv())) { if (!VALIDATE(enabled.has_mv())) {
DecodeError<validate>(decoder, pc, DecodeError<validate>(decoder, pc,
...@@ -826,9 +836,9 @@ struct HeapTypeImmediate { ...@@ -826,9 +836,9 @@ struct HeapTypeImmediate {
uint32_t length = 1; uint32_t length = 1;
HeapType type = HeapType(HeapType::kBottom); HeapType type = HeapType(HeapType::kBottom);
inline HeapTypeImmediate(const WasmFeatures& enabled, Decoder* decoder, inline HeapTypeImmediate(const WasmFeatures& enabled, Decoder* decoder,
const byte* pc) { const byte* pc, const WasmModule* module) {
type = value_type_reader::read_heap_type<validate>(decoder, pc, &length, type = value_type_reader::read_heap_type<validate>(decoder, pc, &length,
enabled); module, enabled);
} }
}; };
...@@ -1172,7 +1182,7 @@ class WasmDecoder : public Decoder { ...@@ -1172,7 +1182,7 @@ class WasmDecoder : public Decoder {
*total_length += length; *total_length += length;
ValueType type = value_type_reader::read_value_type<validate>( ValueType type = value_type_reader::read_value_type<validate>(
this, pc + *total_length, &length, enabled_); this, pc + *total_length, &length, this->module_, enabled_);
if (!VALIDATE(type != kWasmBottom)) return -1; if (!VALIDATE(type != kWasmBottom)) return -1;
*total_length += length; *total_length += length;
total_count += count; total_count += count;
...@@ -1479,8 +1489,8 @@ class WasmDecoder : public Decoder { ...@@ -1479,8 +1489,8 @@ class WasmDecoder : public Decoder {
inline bool Validate(const byte* pc, BlockTypeImmediate<validate>& imm) { inline bool Validate(const byte* pc, BlockTypeImmediate<validate>& imm) {
if (!Complete(imm)) { if (!Complete(imm)) {
DecodeError(pc, "block type index %u out of bounds (%zu types)", DecodeError(pc, "block type index %u is not a signature definition",
imm.sig_index, module_->types.size()); imm.sig_index);
return false; return false;
} }
return true; return true;
...@@ -1578,19 +1588,6 @@ class WasmDecoder : public Decoder { ...@@ -1578,19 +1588,6 @@ class WasmDecoder : public Decoder {
return true; return true;
} }
inline bool Validate(const byte* pc, HeapTypeImmediate<validate>& imm) {
if (!VALIDATE(!imm.type.is_bottom())) {
DecodeError(pc, "invalid heap type");
return false;
}
if (!VALIDATE(imm.type.is_generic() ||
module_->has_type(imm.type.ref_index()))) {
DecodeError(pc, "Type index %u is out of bounds", imm.type.ref_index());
return false;
}
return true;
}
// Returns the length of the opcode under {pc}. // Returns the length of the opcode under {pc}.
static uint32_t OpcodeLength(WasmDecoder* decoder, const byte* pc) { static uint32_t OpcodeLength(WasmDecoder* decoder, const byte* pc) {
WasmOpcode opcode = static_cast<WasmOpcode>(*pc); WasmOpcode opcode = static_cast<WasmOpcode>(*pc);
...@@ -1611,7 +1608,8 @@ class WasmDecoder : public Decoder { ...@@ -1611,7 +1608,8 @@ class WasmDecoder : public Decoder {
case kExprIf: case kExprIf:
case kExprLoop: case kExprLoop:
case kExprBlock: { case kExprBlock: {
BlockTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1); BlockTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1,
nullptr);
return 1 + imm.length; return 1 + imm.length;
} }
case kExprBr: case kExprBr:
...@@ -1637,7 +1635,8 @@ class WasmDecoder : public Decoder { ...@@ -1637,7 +1635,8 @@ class WasmDecoder : public Decoder {
return 1 + imm.length; return 1 + imm.length;
} }
case kExprLet: { case kExprLet: {
BlockTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1); BlockTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1,
nullptr);
uint32_t locals_length; uint32_t locals_length;
int new_locals_count = decoder->DecodeLocals( int new_locals_count = decoder->DecodeLocals(
pc + 1 + imm.length, &locals_length, base::Optional<uint32_t>()); pc + 1 + imm.length, &locals_length, base::Optional<uint32_t>());
...@@ -1662,7 +1661,8 @@ class WasmDecoder : public Decoder { ...@@ -1662,7 +1661,8 @@ class WasmDecoder : public Decoder {
case kExprSelect: case kExprSelect:
return 1; return 1;
case kExprSelectWithType: { case kExprSelectWithType: {
SelectTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1); SelectTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1,
nullptr);
return 1 + imm.length; return 1 + imm.length;
} }
case kExprLocalGet: case kExprLocalGet:
...@@ -1694,7 +1694,8 @@ class WasmDecoder : public Decoder { ...@@ -1694,7 +1694,8 @@ class WasmDecoder : public Decoder {
case kExprF64Const: case kExprF64Const:
return 9; return 9;
case kExprRefNull: { case kExprRefNull: {
HeapTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1); HeapTypeImmediate<validate> imm(WasmFeatures::All(), decoder, pc + 1,
nullptr);
return 1 + imm.length; return 1 + imm.length;
} }
case kExprRefIsNull: { case kExprRefIsNull: {
...@@ -1881,7 +1882,7 @@ class WasmDecoder : public Decoder { ...@@ -1881,7 +1882,7 @@ class WasmDecoder : public Decoder {
// TODO(7748): Account for rtt.sub's additional immediates if // TODO(7748): Account for rtt.sub's additional immediates if
// they stick. // they stick.
HeapTypeImmediate<validate> imm(WasmFeatures::All(), decoder, HeapTypeImmediate<validate> imm(WasmFeatures::All(), decoder,
pc + length); pc + length, nullptr);
return length + imm.length; return length + imm.length;
} }
case kExprI31New: case kExprI31New:
...@@ -1891,9 +1892,9 @@ class WasmDecoder : public Decoder { ...@@ -1891,9 +1892,9 @@ class WasmDecoder : public Decoder {
case kExprRefTest: case kExprRefTest:
case kExprRefCast: { case kExprRefCast: {
HeapTypeImmediate<validate> ht1(WasmFeatures::All(), decoder, HeapTypeImmediate<validate> ht1(WasmFeatures::All(), decoder,
pc + length); pc + length, nullptr);
HeapTypeImmediate<validate> ht2(WasmFeatures::All(), decoder, HeapTypeImmediate<validate> ht2(WasmFeatures::All(), decoder,
pc + length + ht1.length); pc + length + ht1.length, nullptr);
return length + ht1.length + ht2.length; return length + ht1.length + ht2.length;
} }
default: default:
...@@ -2371,7 +2372,8 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -2371,7 +2372,8 @@ class WasmFullDecoder : public WasmDecoder<validate> {
#undef BUILD_SIMPLE_OPCODE #undef BUILD_SIMPLE_OPCODE
DECODE(Block) { DECODE(Block) {
BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1); BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1,
this->module_);
if (!this->Validate(this->pc_ + 1, imm)) return 0; if (!this->Validate(this->pc_ + 1, imm)) return 0;
ArgVector args = PopArgs(imm.sig); ArgVector args = PopArgs(imm.sig);
Control* block = PushControl(kControlBlock); Control* block = PushControl(kControlBlock);
...@@ -2401,7 +2403,8 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -2401,7 +2403,8 @@ class WasmFullDecoder : public WasmDecoder<validate> {
DECODE(Try) { DECODE(Try) {
CHECK_PROTOTYPE_OPCODE(eh); CHECK_PROTOTYPE_OPCODE(eh);
BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1); BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1,
this->module_);
if (!this->Validate(this->pc_ + 1, imm)) return 0; if (!this->Validate(this->pc_ + 1, imm)) return 0;
ArgVector args = PopArgs(imm.sig); ArgVector args = PopArgs(imm.sig);
Control* try_block = PushControl(kControlTry); Control* try_block = PushControl(kControlTry);
...@@ -2501,7 +2504,8 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -2501,7 +2504,8 @@ class WasmFullDecoder : public WasmDecoder<validate> {
DECODE(Let) { DECODE(Let) {
CHECK_PROTOTYPE_OPCODE(typed_funcref); CHECK_PROTOTYPE_OPCODE(typed_funcref);
BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1); BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1,
this->module_);
if (!this->Validate(this->pc_ + 1, imm)) return 0; if (!this->Validate(this->pc_ + 1, imm)) return 0;
// Temporarily add the let-defined values to the beginning of the function // Temporarily add the let-defined values to the beginning of the function
// locals. // locals.
...@@ -2524,7 +2528,8 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -2524,7 +2528,8 @@ class WasmFullDecoder : public WasmDecoder<validate> {
} }
DECODE(Loop) { DECODE(Loop) {
BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1); BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1,
this->module_);
if (!this->Validate(this->pc_ + 1, imm)) return 0; if (!this->Validate(this->pc_ + 1, imm)) return 0;
ArgVector args = PopArgs(imm.sig); ArgVector args = PopArgs(imm.sig);
Control* block = PushControl(kControlLoop); Control* block = PushControl(kControlLoop);
...@@ -2535,7 +2540,8 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -2535,7 +2540,8 @@ class WasmFullDecoder : public WasmDecoder<validate> {
} }
DECODE(If) { DECODE(If) {
BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1); BlockTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1,
this->module_);
if (!this->Validate(this->pc_ + 1, imm)) return 0; if (!this->Validate(this->pc_ + 1, imm)) return 0;
Value cond = Pop(0, kWasmI32); Value cond = Pop(0, kWasmI32);
ArgVector args = PopArgs(imm.sig); ArgVector args = PopArgs(imm.sig);
...@@ -2631,7 +2637,8 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -2631,7 +2637,8 @@ class WasmFullDecoder : public WasmDecoder<validate> {
DECODE(SelectWithType) { DECODE(SelectWithType) {
CHECK_PROTOTYPE_OPCODE(reftypes); CHECK_PROTOTYPE_OPCODE(reftypes);
SelectTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1); SelectTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1,
this->module_);
if (this->failed()) return 0; if (this->failed()) return 0;
Value cond = Pop(2, kWasmI32); Value cond = Pop(2, kWasmI32);
Value fval = Pop(1, imm.type); Value fval = Pop(1, imm.type);
...@@ -2773,8 +2780,9 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -2773,8 +2780,9 @@ class WasmFullDecoder : public WasmDecoder<validate> {
DECODE(RefNull) { DECODE(RefNull) {
CHECK_PROTOTYPE_OPCODE(reftypes); CHECK_PROTOTYPE_OPCODE(reftypes);
HeapTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1); HeapTypeImmediate<validate> imm(this->enabled_, this, this->pc_ + 1,
if (!this->Validate(this->pc_ + 1, imm)) return 0; this->module_);
if (!VALIDATE(this->ok())) return 0;
ValueType type = ValueType::Ref(imm.type, kNullable); ValueType type = ValueType::Ref(imm.type, kNullable);
Value* value = Push(type); Value* value = Push(type);
CALL_INTERFACE_IF_REACHABLE(RefNull, type, value); CALL_INTERFACE_IF_REACHABLE(RefNull, type, value);
...@@ -3937,9 +3945,9 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -3937,9 +3945,9 @@ class WasmFullDecoder : public WasmDecoder<validate> {
return opcode_length; return opcode_length;
} }
case kExprRttCanon: { case kExprRttCanon: {
HeapTypeImmediate<validate> imm(this->enabled_, this, HeapTypeImmediate<validate> imm(
this->pc_ + opcode_length); this->enabled_, this, this->pc_ + opcode_length, this->module_);
if (!this->Validate(this->pc_ + opcode_length, imm)) return 0; if (!VALIDATE(this->ok())) return 0;
Value* value = Value* value =
Push(ValueType::Rtt(imm.type, imm.type == HeapType::kAny ? 0 : 1)); Push(ValueType::Rtt(imm.type, imm.type == HeapType::kAny ? 0 : 1));
CALL_INTERFACE_IF_REACHABLE(RttCanon, imm, value); CALL_INTERFACE_IF_REACHABLE(RttCanon, imm, value);
...@@ -3952,9 +3960,9 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -3952,9 +3960,9 @@ class WasmFullDecoder : public WasmDecoder<validate> {
// If these immediates don't get dropped (in the spirit of // If these immediates don't get dropped (in the spirit of
// https://github.com/WebAssembly/function-references/pull/31 ), // https://github.com/WebAssembly/function-references/pull/31 ),
// implement them here. // implement them here.
HeapTypeImmediate<validate> imm(this->enabled_, this, HeapTypeImmediate<validate> imm(
this->pc_ + opcode_length); this->enabled_, this, this->pc_ + opcode_length, this->module_);
if (!this->Validate(this->pc_ + opcode_length, imm)) return 0; if (!VALIDATE(this->ok())) return 0;
Value parent = Pop(0); Value parent = Pop(0);
if (parent.type.is_bottom()) { if (parent.type.is_bottom()) {
Push(kWasmBottom); Push(kWasmBottom);
...@@ -3986,14 +3994,14 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -3986,14 +3994,14 @@ class WasmFullDecoder : public WasmDecoder<validate> {
} }
case kExprRefTest: { case kExprRefTest: {
// "Tests whether {obj}'s runtime type is a runtime subtype of {rtt}." // "Tests whether {obj}'s runtime type is a runtime subtype of {rtt}."
HeapTypeImmediate<validate> obj_type(this->enabled_, this, HeapTypeImmediate<validate> obj_type(
this->pc_ + opcode_length); this->enabled_, this, this->pc_ + opcode_length, this->module_);
if (!this->Validate(this->pc_ + opcode_length, obj_type)) return 0;
int len = opcode_length + obj_type.length; int len = opcode_length + obj_type.length;
HeapTypeImmediate<validate> rtt_type(this->enabled_, this, HeapTypeImmediate<validate> rtt_type(this->enabled_, this,
this->pc_ + len); this->pc_ + len, this->module_);
if (!this->Validate(this->pc_ + len, rtt_type)) return 0;
len += rtt_type.length; len += rtt_type.length;
if (!VALIDATE(this->ok())) return 0;
// The static type of {obj} must be a supertype of the {rtt}'s type. // The static type of {obj} must be a supertype of the {rtt}'s type.
if (!VALIDATE(IsSubtypeOf(ValueType::Ref(rtt_type.type, kNonNullable), if (!VALIDATE(IsSubtypeOf(ValueType::Ref(rtt_type.type, kNonNullable),
ValueType::Ref(obj_type.type, kNonNullable), ValueType::Ref(obj_type.type, kNonNullable),
...@@ -4017,14 +4025,14 @@ class WasmFullDecoder : public WasmDecoder<validate> { ...@@ -4017,14 +4025,14 @@ class WasmFullDecoder : public WasmDecoder<validate> {
return len; return len;
} }
case kExprRefCast: { case kExprRefCast: {
HeapTypeImmediate<validate> obj_type(this->enabled_, this, HeapTypeImmediate<validate> obj_type(
this->pc_ + opcode_length); this->enabled_, this, this->pc_ + opcode_length, this->module_);
if (!this->Validate(this->pc_ + opcode_length, obj_type)) return 0;
int len = opcode_length + obj_type.length; int len = opcode_length + obj_type.length;
HeapTypeImmediate<validate> rtt_type(this->enabled_, this, HeapTypeImmediate<validate> rtt_type(this->enabled_, this,
this->pc_ + len); this->pc_ + len, this->module_);
if (!this->Validate(this->pc_ + len, rtt_type)) return 0;
len += rtt_type.length; len += rtt_type.length;
if (!VALIDATE(this->ok())) return 0;
if (!VALIDATE(IsSubtypeOf(ValueType::Ref(rtt_type.type, kNonNullable), if (!VALIDATE(IsSubtypeOf(ValueType::Ref(rtt_type.type, kNonNullable),
ValueType::Ref(obj_type.type, kNonNullable), ValueType::Ref(obj_type.type, kNonNullable),
this->module_))) { this->module_))) {
......
...@@ -20,11 +20,12 @@ namespace internal { ...@@ -20,11 +20,12 @@ namespace internal {
namespace wasm { namespace wasm {
bool DecodeLocalDecls(const WasmFeatures& enabled, BodyLocalDecls* decls, bool DecodeLocalDecls(const WasmFeatures& enabled, BodyLocalDecls* decls,
const byte* start, const byte* end) { const WasmModule* module, const byte* start,
const byte* end) {
WasmFeatures no_features = WasmFeatures::None(); WasmFeatures no_features = WasmFeatures::None();
Zone* zone = decls->type_list.get_allocator().zone(); Zone* zone = decls->type_list.get_allocator().zone();
WasmDecoder<Decoder::kFullValidation> decoder( WasmDecoder<Decoder::kFullValidation> decoder(
zone, nullptr, enabled, &no_features, nullptr, start, end, 0); zone, module, enabled, &no_features, nullptr, start, end, 0);
uint32_t length; uint32_t length;
if (decoder.DecodeLocals(decoder.pc(), &length, 0) < 0) { if (decoder.DecodeLocals(decoder.pc(), &length, 0) < 0) {
decls->encoded_size = 0; decls->encoded_size = 0;
...@@ -42,7 +43,7 @@ BytecodeIterator::BytecodeIterator(const byte* start, const byte* end, ...@@ -42,7 +43,7 @@ BytecodeIterator::BytecodeIterator(const byte* start, const byte* end,
BodyLocalDecls* decls) BodyLocalDecls* decls)
: Decoder(start, end) { : Decoder(start, end) {
if (decls != nullptr) { if (decls != nullptr) {
if (DecodeLocalDecls(WasmFeatures::All(), decls, start, end)) { if (DecodeLocalDecls(WasmFeatures::All(), decls, nullptr, start, end)) {
pc_ += decls->encoded_size; pc_ += decls->encoded_size;
if (pc_ > end_) pc_ = end_; if (pc_ > end_) pc_ = end_;
} }
...@@ -244,7 +245,7 @@ bool PrintRawWasmCode(AccountingAllocator* allocator, const FunctionBody& body, ...@@ -244,7 +245,7 @@ bool PrintRawWasmCode(AccountingAllocator* allocator, const FunctionBody& body,
case kExprBlock: case kExprBlock:
case kExprTry: { case kExprTry: {
BlockTypeImmediate<Decoder::kNoValidation> imm(WasmFeatures::All(), &i, BlockTypeImmediate<Decoder::kNoValidation> imm(WasmFeatures::All(), &i,
i.pc() + 1); i.pc() + 1, module);
os << " @" << i.pc_offset(); os << " @" << i.pc_offset();
if (decoder.Complete(imm)) { if (decoder.Complete(imm)) {
for (uint32_t i = 0; i < imm.out_arity(); i++) { for (uint32_t i = 0; i < imm.out_arity(); i++) {
......
...@@ -67,6 +67,7 @@ struct BodyLocalDecls { ...@@ -67,6 +67,7 @@ struct BodyLocalDecls {
V8_EXPORT_PRIVATE bool DecodeLocalDecls(const WasmFeatures& enabled, V8_EXPORT_PRIVATE bool DecodeLocalDecls(const WasmFeatures& enabled,
BodyLocalDecls* decls, BodyLocalDecls* decls,
const WasmModule* module,
const byte* start, const byte* end); const byte* start, const byte* end);
V8_EXPORT_PRIVATE BitVector* AnalyzeLoopAssignmentForTesting( V8_EXPORT_PRIVATE BitVector* AnalyzeLoopAssignmentForTesting(
......
...@@ -1648,22 +1648,6 @@ class ModuleDecoderImpl : public Decoder { ...@@ -1648,22 +1648,6 @@ class ModuleDecoderImpl : public Decoder {
return true; return true;
} }
// TODO(manoskouk): This is copy-modified from function-body-decoder-impl.h.
// We should find a way to share this code.
V8_INLINE bool Validate(const byte* pc,
HeapTypeImmediate<kFullValidation>& imm) {
if (V8_UNLIKELY(imm.type.is_bottom())) {
error(pc, "invalid heap type");
return false;
}
if (V8_UNLIKELY(!(imm.type.is_generic() ||
module_->has_type(imm.type.ref_index())))) {
errorf(pc, "Type index %u is out of bounds", imm.type.ref_index());
return false;
}
return true;
}
WasmInitExpr consume_init_expr(WasmModule* module, ValueType expected, WasmInitExpr consume_init_expr(WasmModule* module, ValueType expected,
size_t current_global_index) { size_t current_global_index) {
constexpr Decoder::ValidateFlag validate = Decoder::kFullValidation; constexpr Decoder::ValidateFlag validate = Decoder::kFullValidation;
...@@ -1735,10 +1719,10 @@ class ModuleDecoderImpl : public Decoder { ...@@ -1735,10 +1719,10 @@ class ModuleDecoderImpl : public Decoder {
kExprRefNull); kExprRefNull);
return {}; return {};
} }
HeapTypeImmediate<Decoder::kFullValidation> imm(enabled_features_, HeapTypeImmediate<Decoder::kFullValidation> imm(
this, pc() + 1); enabled_features_, this, pc() + 1, module_.get());
if (V8_UNLIKELY(failed())) return {};
len = 1 + imm.length; len = 1 + imm.length;
if (!Validate(pc() + 1, imm)) return {};
stack.push_back( stack.push_back(
WasmInitExpr::RefNullConst(imm.type.representation())); WasmInitExpr::RefNullConst(imm.type.representation()));
break; break;
...@@ -1786,19 +1770,19 @@ class ModuleDecoderImpl : public Decoder { ...@@ -1786,19 +1770,19 @@ class ModuleDecoderImpl : public Decoder {
opcode = read_prefixed_opcode<validate>(pc(), &len); opcode = read_prefixed_opcode<validate>(pc(), &len);
switch (opcode) { switch (opcode) {
case kExprRttCanon: { case kExprRttCanon: {
HeapTypeImmediate<validate> imm(enabled_features_, this, HeapTypeImmediate<validate> imm(enabled_features_, this, pc() + 2,
pc() + 2); module_.get());
if (V8_UNLIKELY(failed())) return {};
len += imm.length; len += imm.length;
if (!Validate(pc() + len, imm)) return {};
stack.push_back( stack.push_back(
WasmInitExpr::RttCanon(imm.type.representation())); WasmInitExpr::RttCanon(imm.type.representation()));
break; break;
} }
case kExprRttSub: { case kExprRttSub: {
HeapTypeImmediate<validate> imm(enabled_features_, this, HeapTypeImmediate<validate> imm(enabled_features_, this, pc() + 2,
pc() + 2); module_.get());
if (V8_UNLIKELY(failed())) return {};
len += imm.length; len += imm.length;
if (!Validate(pc() + len, imm)) return {};
if (stack.empty()) { if (stack.empty()) {
error(pc(), "calling rtt.sub without arguments"); error(pc(), "calling rtt.sub without arguments");
return {}; return {};
...@@ -1870,13 +1854,8 @@ class ModuleDecoderImpl : public Decoder { ...@@ -1870,13 +1854,8 @@ class ModuleDecoderImpl : public Decoder {
ValueType consume_value_type() { ValueType consume_value_type() {
uint32_t type_length; uint32_t type_length;
ValueType result = value_type_reader::read_value_type<kFullValidation>( ValueType result = value_type_reader::read_value_type<kFullValidation>(
this, this->pc(), &type_length, this, this->pc(), &type_length, module_.get(),
origin_ == kWasmOrigin ? enabled_features_ : WasmFeatures::None()); origin_ == kWasmOrigin ? enabled_features_ : WasmFeatures::None());
// We use capacity() over size() so this function works
// mid-DecodeTypeSection.
if (result.has_index() && result.ref_index() >= module_->types.capacity()) {
errorf(pc(), "Type index %u is out of bounds", result.ref_index());
}
consume_bytes(type_length, "value type"); consume_bytes(type_length, "value type");
return result; return result;
} }
...@@ -2166,7 +2145,7 @@ class ModuleDecoderImpl : public Decoder { ...@@ -2166,7 +2145,7 @@ class ModuleDecoderImpl : public Decoder {
switch (opcode) { switch (opcode) {
case kExprRefNull: { case kExprRefNull: {
HeapTypeImmediate<kFullValidation> imm(WasmFeatures::All(), this, HeapTypeImmediate<kFullValidation> imm(WasmFeatures::All(), this,
this->pc()); this->pc(), module_.get());
consume_bytes(imm.length, "ref.null immediate"); consume_bytes(imm.length, "ref.null immediate");
index = WasmElemSegment::kNullIndex; index = WasmElemSegment::kNullIndex;
break; break;
......
...@@ -790,8 +790,8 @@ class SideTable : public ZoneObject { ...@@ -790,8 +790,8 @@ class SideTable : public ZoneObject {
case kExprBlock: case kExprBlock:
case kExprLoop: { case kExprLoop: {
bool is_loop = opcode == kExprLoop; bool is_loop = opcode == kExprLoop;
BlockTypeImmediate<Decoder::kNoValidation> imm(WasmFeatures::All(), BlockTypeImmediate<Decoder::kNoValidation> imm(
&i, i.pc() + 1); WasmFeatures::All(), &i, i.pc() + 1, module);
if (imm.type == kWasmBottom) { if (imm.type == kWasmBottom) {
imm.sig = module->signature(imm.sig_index); imm.sig = module->signature(imm.sig_index);
} }
...@@ -812,8 +812,8 @@ class SideTable : public ZoneObject { ...@@ -812,8 +812,8 @@ class SideTable : public ZoneObject {
break; break;
} }
case kExprIf: { case kExprIf: {
BlockTypeImmediate<Decoder::kNoValidation> imm(WasmFeatures::All(), BlockTypeImmediate<Decoder::kNoValidation> imm(
&i, i.pc() + 1); WasmFeatures::All(), &i, i.pc() + 1, module);
if (imm.type == kWasmBottom) { if (imm.type == kWasmBottom) {
imm.sig = module->signature(imm.sig_index); imm.sig = module->signature(imm.sig_index);
} }
...@@ -852,8 +852,8 @@ class SideTable : public ZoneObject { ...@@ -852,8 +852,8 @@ class SideTable : public ZoneObject {
break; break;
} }
case kExprTry: { case kExprTry: {
BlockTypeImmediate<Decoder::kNoValidation> imm(WasmFeatures::All(), BlockTypeImmediate<Decoder::kNoValidation> imm(
&i, i.pc() + 1); WasmFeatures::All(), &i, i.pc() + 1, module);
if (imm.type == kWasmBottom) { if (imm.type == kWasmBottom) {
imm.sig = module->signature(imm.sig_index); imm.sig = module->signature(imm.sig_index);
} }
...@@ -3262,13 +3262,13 @@ class WasmInterpreterInternals { ...@@ -3262,13 +3262,13 @@ class WasmInterpreterInternals {
case kExprLoop: case kExprLoop:
case kExprTry: { case kExprTry: {
BlockTypeImmediate<Decoder::kNoValidation> imm( BlockTypeImmediate<Decoder::kNoValidation> imm(
WasmFeatures::All(), &decoder, code->at(pc + 1)); WasmFeatures::All(), &decoder, code->at(pc + 1), module());
len = 1 + imm.length; len = 1 + imm.length;
break; break;
} }
case kExprIf: { case kExprIf: {
BlockTypeImmediate<Decoder::kNoValidation> imm( BlockTypeImmediate<Decoder::kNoValidation> imm(
WasmFeatures::All(), &decoder, code->at(pc + 1)); WasmFeatures::All(), &decoder, code->at(pc + 1), module());
WasmValue cond = Pop(); WasmValue cond = Pop();
bool is_true = cond.to<uint32_t>() != 0; bool is_true = cond.to<uint32_t>() != 0;
if (is_true) { if (is_true) {
...@@ -3328,7 +3328,7 @@ class WasmInterpreterInternals { ...@@ -3328,7 +3328,7 @@ class WasmInterpreterInternals {
} }
case kExprSelectWithType: { case kExprSelectWithType: {
SelectTypeImmediate<Decoder::kNoValidation> imm( SelectTypeImmediate<Decoder::kNoValidation> imm(
WasmFeatures::All(), &decoder, code->at(pc + 1)); WasmFeatures::All(), &decoder, code->at(pc + 1), module());
len = 1 + imm.length; len = 1 + imm.length;
V8_FALLTHROUGH; V8_FALLTHROUGH;
} }
...@@ -3417,7 +3417,7 @@ class WasmInterpreterInternals { ...@@ -3417,7 +3417,7 @@ class WasmInterpreterInternals {
} }
case kExprRefNull: { case kExprRefNull: {
HeapTypeImmediate<Decoder::kNoValidation> imm( HeapTypeImmediate<Decoder::kNoValidation> imm(
WasmFeatures::All(), &decoder, code->at(pc + 1)); WasmFeatures::All(), &decoder, code->at(pc + 1), module());
len = 1 + imm.length; len = 1 + imm.length;
Push(WasmValue(isolate_->factory()->null_value())); Push(WasmValue(isolate_->factory()->null_value()));
break; break;
......
...@@ -269,7 +269,7 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes, ...@@ -269,7 +269,7 @@ void GenerateTestCase(Isolate* isolate, ModuleWireBytes wire_bytes,
// Add locals. // Add locals.
BodyLocalDecls decls(&tmp_zone); BodyLocalDecls decls(&tmp_zone);
DecodeLocalDecls(enabled_features, &decls, func_code.begin(), DecodeLocalDecls(enabled_features, &decls, module, func_code.begin(),
func_code.end()); func_code.end());
if (!decls.type_list.empty()) { if (!decls.type_list.empty()) {
os << " "; os << " ";
......
...@@ -4663,18 +4663,20 @@ TEST_F(WasmOpcodeLengthTest, PrefixedOpcodesLEB) { ...@@ -4663,18 +4663,20 @@ TEST_F(WasmOpcodeLengthTest, PrefixedOpcodesLEB) {
class TypeReaderTest : public TestWithZone { class TypeReaderTest : public TestWithZone {
public: public:
ValueType DecodeValueType(const byte* start, const byte* end) { ValueType DecodeValueType(const byte* start, const byte* end,
const WasmModule* module) {
Decoder decoder(start, end); Decoder decoder(start, end);
uint32_t length; uint32_t length;
return value_type_reader::read_value_type<Decoder::kFullValidation>( return value_type_reader::read_value_type<Decoder::kFullValidation>(
&decoder, start, &length, enabled_features_); &decoder, start, &length, module, enabled_features_);
} }
HeapType DecodeHeapType(const byte* start, const byte* end) { HeapType DecodeHeapType(const byte* start, const byte* end,
const WasmModule* module) {
Decoder decoder(start, end); Decoder decoder(start, end);
uint32_t length; uint32_t length;
return value_type_reader::read_heap_type<Decoder::kFullValidation>( return value_type_reader::read_heap_type<Decoder::kFullValidation>(
&decoder, start, &length, enabled_features_); &decoder, start, &length, module, enabled_features_);
} }
// This variable is modified by WASM_FEATURE_SCOPE. // This variable is modified by WASM_FEATURE_SCOPE.
...@@ -4692,34 +4694,34 @@ TEST_F(TypeReaderTest, HeapTypeDecodingTest) { ...@@ -4692,34 +4694,34 @@ TEST_F(TypeReaderTest, HeapTypeDecodingTest) {
// 1- to 5-byte representation of kFuncRefCode. // 1- to 5-byte representation of kFuncRefCode.
{ {
const byte data[] = {kFuncRefCode}; const byte data[] = {kFuncRefCode};
HeapType result = DecodeHeapType(data, data + sizeof(data)); HeapType result = DecodeHeapType(data, data + sizeof(data), nullptr);
EXPECT_TRUE(result == heap_func); EXPECT_TRUE(result == heap_func);
} }
{ {
const byte data[] = {kFuncRefCode | 0x80, 0x7F}; const byte data[] = {kFuncRefCode | 0x80, 0x7F};
HeapType result = DecodeHeapType(data, data + sizeof(data)); HeapType result = DecodeHeapType(data, data + sizeof(data), nullptr);
EXPECT_EQ(result, heap_func); EXPECT_EQ(result, heap_func);
} }
{ {
const byte data[] = {kFuncRefCode | 0x80, 0xFF, 0x7F}; const byte data[] = {kFuncRefCode | 0x80, 0xFF, 0x7F};
HeapType result = DecodeHeapType(data, data + sizeof(data)); HeapType result = DecodeHeapType(data, data + sizeof(data), nullptr);
EXPECT_EQ(result, heap_func); EXPECT_EQ(result, heap_func);
} }
{ {
const byte data[] = {kFuncRefCode | 0x80, 0xFF, 0xFF, 0x7F}; const byte data[] = {kFuncRefCode | 0x80, 0xFF, 0xFF, 0x7F};
HeapType result = DecodeHeapType(data, data + sizeof(data)); HeapType result = DecodeHeapType(data, data + sizeof(data), nullptr);
EXPECT_EQ(result, heap_func); EXPECT_EQ(result, heap_func);
} }
{ {
const byte data[] = {kFuncRefCode | 0x80, 0xFF, 0xFF, 0xFF, 0x7F}; const byte data[] = {kFuncRefCode | 0x80, 0xFF, 0xFF, 0xFF, 0x7F};
HeapType result = DecodeHeapType(data, data + sizeof(data)); HeapType result = DecodeHeapType(data, data + sizeof(data), nullptr);
EXPECT_EQ(result, heap_func); EXPECT_EQ(result, heap_func);
} }
{ {
// Some negative number. // Some negative number.
const byte data[] = {0xB4, 0x7F}; const byte data[] = {0xB4, 0x7F};
HeapType result = DecodeHeapType(data, data + sizeof(data)); HeapType result = DecodeHeapType(data, data + sizeof(data), nullptr);
EXPECT_EQ(result, heap_bottom); EXPECT_EQ(result, heap_bottom);
} }
...@@ -4728,7 +4730,7 @@ TEST_F(TypeReaderTest, HeapTypeDecodingTest) { ...@@ -4728,7 +4730,7 @@ TEST_F(TypeReaderTest, HeapTypeDecodingTest) {
// range. This should therefore NOT be decoded as HeapType::kFunc and // range. This should therefore NOT be decoded as HeapType::kFunc and
// instead fail. // instead fail.
const byte data[] = {kFuncRefCode | 0x80, 0x6F}; const byte data[] = {kFuncRefCode | 0x80, 0x6F};
HeapType result = DecodeHeapType(data, data + sizeof(data)); HeapType result = DecodeHeapType(data, data + sizeof(data), nullptr);
EXPECT_EQ(result, heap_bottom); EXPECT_EQ(result, heap_bottom);
} }
} }
...@@ -4750,7 +4752,9 @@ class LocalDeclDecoderTest : public TestWithZone { ...@@ -4750,7 +4752,9 @@ class LocalDeclDecoderTest : public TestWithZone {
bool DecodeLocalDecls(BodyLocalDecls* decls, const byte* start, bool DecodeLocalDecls(BodyLocalDecls* decls, const byte* start,
const byte* end) { const byte* end) {
return i::wasm::DecodeLocalDecls(enabled_features_, decls, start, end); WasmModule module;
return i::wasm::DecodeLocalDecls(enabled_features_, decls, &module, start,
end);
} }
}; };
...@@ -4877,6 +4881,20 @@ TEST_F(LocalDeclDecoderTest, ExnRef) { ...@@ -4877,6 +4881,20 @@ TEST_F(LocalDeclDecoderTest, ExnRef) {
EXPECT_EQ(type, map[0]); EXPECT_EQ(type, map[0]);
} }
TEST_F(LocalDeclDecoderTest, InvalidTypeIndex) {
WASM_FEATURE_SCOPE(reftypes);
WASM_FEATURE_SCOPE(typed_funcref);
const byte* data = nullptr;
const byte* end = nullptr;
LocalDeclEncoder local_decls(zone());
local_decls.AddLocals(1, ValueType::Ref(0, kNullable));
BodyLocalDecls decls(zone());
bool result = DecodeLocalDecls(&decls, data, end);
EXPECT_FALSE(result);
}
class BytecodeIteratorTest : public TestWithZone {}; class BytecodeIteratorTest : public TestWithZone {};
TEST_F(BytecodeIteratorTest, SimpleForeach) { TEST_F(BytecodeIteratorTest, SimpleForeach) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment