[wasm] Check for illegal br table count

The underlying issue is that TF Nodes cannot handle input counts outside the integer range. On an illegal br_table instruction, we generated a switch node with a control output count >kMaxInt. Operator::ControlOutputCount turned this into a negative integer later, leading to a failing DCHECK. Since such large numbers cannot occur in any valid wasm function anyway, we just add an additional check to the br table count. There is already a TODO in the code to change Operator::ControlOutputCount to size_t. R=ahaas@chromium.org BUG=chromium:722445 Change-Id: I1975072226e073dee6c8da3b9fa9a050a4695917 Reviewed-on: https://chromium-review.googlesource.com/505496Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#45365}

[wasm] Check for illegal br table count
The underlying issue is that TF Nodes cannot handle input counts outside the integer range. On an illegal br_table instruction, we generated a switch node with a control output count >kMaxInt. Operator::ControlOutputCount turned this into a negative integer later, leading to a failing DCHECK. Since such large numbers cannot occur in any valid wasm function anyway, we just add an additional check to the br table count. There is already a TODO in the code to change Operator::ControlOutputCount to size_t. R=ahaas@chromium.org BUG=chromium:722445 Change-Id: I1975072226e073dee6c8da3b9fa9a050a4695917 Reviewed-on: https://chromium-review.googlesource.com/505496Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#45365}
74519c43 · Clemens Hammacher · Commit Bot · a68b75d0 · 74519c43 · 74519c43
Commit 74519c43 authored May 17, 2017 by Clemens Hammacher Committed by Commit Bot May 17, 2017
Showing with 27 additions and 3 deletions

operator.cc src/compiler/operator.cc +5 -1

function-body-decoder.cc src/wasm/function-body-decoder.cc +6 -2

regression-722445.js test/mjsunit/regress/wasm/regression-722445.js +16 -0

No files found.
--- a/src/compiler/operator.cc
+++ b/src/compiler/operator.cc
@@ -14,7 +14,11 @@ namespace {

 template <typename N>
 V8_INLINE N CheckRange(size_t val) {
-  CHECK_LE(val, std::numeric_limits<N>::max());
+  // The getters on Operator for input and output counts currently return int.
+  // Thus check that the given value fits in the integer range.
+  // TODO(titzer): Remove this check once the getters return size_t.
+  CHECK_LE(val, std::min(static_cast<size_t>(std::numeric_limits<N>::max()),
+                         static_cast<size_t>(kMaxInt)));
  return static_cast<N>(val);
 }


--- a/src/wasm/function-body-decoder.cc
+++ b/src/wasm/function-body-decoder.cc
@@ -362,8 +362,12 @@ class WasmDecoder : public Decoder {

  bool Validate(const byte* pc, BranchTableOperand<true>& operand,
                size_t block_depth) {
-    // TODO(titzer): add extra redundant validation for br_table here?
-    return true;
+    if (operand.table_count >= kV8MaxWasmFunctionSize) {
+      errorf(pc + 1, "invalid table count (> max function size): %u",
+             operand.table_count);
+      return false;
+    }
+    return checkAvailable(operand.table_count);
  }

  inline bool Validate(const byte* pc, WasmOpcode opcode,

--- a/test/mjsunit/regress/wasm/regression-722445.js
+++ b/test/mjsunit/regress/wasm/regression-722445.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+var builder = new WasmModuleBuilder();
+builder.addFunction('f', kSig_v_v).addBody([
+  kExprI32Const, 0, kExprBrTable,
+  // 0x80000000 in LEB:
+  0x80, 0x80, 0x80, 0x80, 0x08,
+  // First break target. Creation of this node triggered the bug.
+  0
+]);
+assertThrows(() => builder.instantiate(), WebAssembly.CompileError);