[wasm] Add validation of compilation hints

Before productionizing this, we probably want to just ignore the whole section if it contains invalid data, but for now failing with a decode error is more consistent with existing checks. R=ecmziegler@chromium.org Bug: v8:12537 Change-Id: I7fc5933573a4d6eddd039bf51361c5bee5c5170d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545177Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#79593}

[wasm] Add validation of compilation hints
Before productionizing this, we probably want to just ignore the whole section if it contains invalid data, but for now failing with a decode error is more consistent with existing checks. R=ecmziegler@chromium.org Bug: v8:12537 Change-Id: I7fc5933573a4d6eddd039bf51361c5bee5c5170d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3545177Reviewed-by: Emanuel Ziegler <ecmziegler@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#79593}
a18b1606 · Clemens Backes · V8 LUCI CQ · 89c213bb · a18b1606 · a18b1606
Commit a18b1606 authored Mar 23, 2022 by Clemens Backes Committed by V8 LUCI CQ Mar 24, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 4 deletions

module-decoder.cc src/wasm/module-decoder.cc +20 -3

compilation-hints-decoder.js test/mjsunit/wasm/compilation-hints-decoder.js +33 -1

No files found.
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@@ -1290,14 +1290,31 @@ class ModuleDecoderImpl : public Decoder {
      uint8_t hint_byte = decoder.consume_u8("compilation hint");
      if (!decoder.ok()) break;

+      // Validate the hint_byte.
+      // For the compilation strategy, all 2-bit values are valid. For the tier,
+      // only 0x0, 0x1, and 0x2 are allowed.
+      static_assert(
+          static_cast<int>(WasmCompilationHintTier::kDefault) == 0 &&
+              static_cast<int>(WasmCompilationHintTier::kBaseline) == 1 &&
+              static_cast<int>(WasmCompilationHintTier::kOptimized) == 2,
+          "The check below assumes that 0x03 is the only invalid 2-bit number "
+          "for a compilation tier");
+      if (((hint_byte >> 2) & 0x03) == 0x03 ||
+          ((hint_byte >> 4) & 0x03) == 0x03) {
+        decoder.errorf(decoder.pc(),
+                       "Invalid compilation hint %#04x (invalid tier 0x03)",
+                       hint_byte);
+        break;
+      }
+
      // Decode compilation hint.
      WasmCompilationHint hint;
      hint.strategy =
          static_cast<WasmCompilationHintStrategy>(hint_byte & 0x03);
      hint.baseline_tier =
-          static_cast<WasmCompilationHintTier>(hint_byte >> 2 & 0x3);
+          static_cast<WasmCompilationHintTier>((hint_byte >> 2) & 0x03);
      hint.top_tier =
-          static_cast<WasmCompilationHintTier>(hint_byte >> 4 & 0x3);
+          static_cast<WasmCompilationHintTier>((hint_byte >> 4) & 0x03);

      // Ensure that the top tier never downgrades a compilation result. If
      // baseline and top tier are the same compilation will be invoked only
@@ -1305,7 +1322,7 @@ class ModuleDecoderImpl : public Decoder {
      if (hint.top_tier < hint.baseline_tier &&
          hint.top_tier != WasmCompilationHintTier::kDefault) {
        decoder.errorf(decoder.pc(),
-                       "Invalid compilation hint %#x (forbidden downgrade)",
+                       "Invalid compilation hint %#04x (forbidden downgrade)",
                       hint_byte);
      }


--- a/test/mjsunit/wasm/compilation-hints-decoder.js
+++ b/test/mjsunit/wasm/compilation-hints-decoder.js
@@ -96,7 +96,7 @@ d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
                   kExprI32Mul])
         .setCompilationHint(kCompilationHintStrategyEager,
                             kCompilationHintTierDefault,
-                             kCompilationHintTierOptimized)
+                             kCompilationHintTierOptimized);
  builder.instantiate();
 })();

@@ -128,3 +128,35 @@ d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
         .exportFunc();
  builder.instantiate();
 })();
+
+(function testDecodeIllegalCompilationHintBaselineTier() {
+  print(arguments.callee.name);
+  let builder = new WasmModuleBuilder();
+  let kIllegalHintTier = 0x03;
+  builder.addFunction('func', kSig_i_i)
+      .addBody([kExprUnreachable])
+      .setCompilationHint(
+          kCompilationHintStrategyDefault, kIllegalHintTier,
+          kCompilationHintTierDefault);
+  assertThrows(
+      () => builder.instantiate(), WebAssembly.CompileError,
+      new RegExp(
+          'WebAssembly.Module\\(\\): Invalid compilation hint 0x0c ' +
+          '\\(invalid tier 0x03\\)'));
+})();
+
+(function testDecodeIllegalCompilationHintTopTier() {
+  print(arguments.callee.name);
+  let builder = new WasmModuleBuilder();
+  let kIllegalHintTier = 0x03;
+  builder.addFunction('func', kSig_i_i)
+      .addBody([kExprUnreachable])
+      .setCompilationHint(
+          kCompilationHintStrategyDefault, kCompilationHintTierDefault,
+          kIllegalHintTier);
+  assertThrows(
+      () => builder.instantiate(), WebAssembly.CompileError,
+      new RegExp(
+          'WebAssembly.Module\\(\\): Invalid compilation hint 0x30 ' +
+          '\\(invalid tier 0x03\\)'));
+})();