[wasm-gc] Disallow forward-declared supertypes

For backwards compatibility, we do not impose this restriction on nominal modules. Bug: v8:7748 Change-Id: I42c4dc824fc9824280527522b05fa3bf68c8929b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3422638Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#78868}

[wasm-gc] Disallow forward-declared supertypes
For backwards compatibility, we do not impose this restriction on nominal modules. Bug: v8:7748 Change-Id: I42c4dc824fc9824280527522b05fa3bf68c8929b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3422638Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#78868}
1b3945d8 · Manos Koukoutos · V8 LUCI CQ · dfef68d0 · 1b3945d8 · 1b3945d8
Commit 1b3945d8 authored Jan 31, 2022 by Manos Koukoutos Committed by V8 LUCI CQ Jan 31, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 5 deletions

module-decoder.cc src/wasm/module-decoder.cc +12 -5

module-decoder-unittest.cc test/unittests/wasm/module-decoder-unittest.cc +12 -0

No files found.
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@@ -582,6 +582,15 @@ class ModuleDecoderImpl : public Decoder {
    }
  }

+  bool check_supertype(uint32_t supertype) {
+    if (V8_UNLIKELY(supertype >= module_->types.size())) {
+      errorf(pc(), "type %zu: forward-declared supertype %d",
+             module_->types.size(), supertype);
+      return false;
+    }
+    return true;
+  }
+
  TypeDefinition consume_nominal_type_definition() {
    DCHECK(enabled_features_.has_gc());
    size_t num_types = module_->types.size();
@@ -650,11 +659,7 @@ class ModuleDecoderImpl : public Decoder {
          consume_count("supertype count", kMaximumSupertypes);
      uint32_t supertype =
          supertype_count == 1 ? consume_u32v("supertype") : kNoSuperType;
-      if (V8_UNLIKELY(supertype >= module_->types.capacity())) {
-        errorf(pc(), "type %zu: invalid supertype %d", module_->types.size(),
-               supertype);
-        return {};
-      }
+      if (!check_supertype(supertype)) return {};
      TypeDefinition type = consume_base_type_definition();
      type.supertype = supertype;
      return type;
@@ -736,6 +741,8 @@ class ModuleDecoderImpl : public Decoder {
        errorf("type %d: subtyping depth is greater than allowed", i);
        continue;
      }
+      // TODO(7748): Replace this with a DCHECK once we reject inheritance
+      // cycles for nominal modules.
      if (depth == -1) {
        errorf("type %d: cyclic inheritance", i);
        continue;

--- a/test/unittests/wasm/module-decoder-unittest.cc
+++ b/test/unittests/wasm/module-decoder-unittest.cc
@@ -3363,6 +3363,18 @@ TEST_F(WasmModuleVerifyTest, OutOfBoundsTypeInType) {
  EXPECT_NOT_OK(result, "Type index 1 is out of bounds");
 }

+// TODO(7748): Add support for rec. groups.
+TEST_F(WasmModuleVerifyTest, ForwardSupertype) {
+  WASM_FEATURE_SCOPE(typed_funcref);
+  WASM_FEATURE_SCOPE(gc);
+  static const byte data[] = {
+      SECTION(Type, ENTRY_COUNT(1), kWasmRecursiveTypeGroupCode, ENTRY_COUNT(1),
+              kWasmSubtypeCode, ENTRY_COUNT(1), 0,
+              WASM_STRUCT_DEF(FIELD_COUNT(1), STRUCT_FIELD(kRefCode, true)))};
+  ModuleResult result = DecodeModule(data, data + sizeof(data));
+  EXPECT_NOT_OK(result, "type 0: forward-declared supertype 0");
+}
+
 TEST_F(WasmModuleVerifyTest, IllegalPackedFields) {
  WASM_FEATURE_SCOPE(gc);
  WASM_FEATURE_SCOPE(typed_funcref);