Bug 1472633: Check that ref types exist when used as inline block types; r=jseward
authorBenjamin Bouvier <benj@benj.me>
Thu, 05 Jul 2018 13:23:18 +0200
changeset 814663 9b9ffa4c105daf1a69e2817cf5d221ee54600ad1
parent 814662 bd1bd5fb4aecac2f5630c1f26c2bb1b935870878
child 814664 d7a5d9b4dc85305a50b397bd77a27948b8d3d822
push id115307
push userbmo:ntim.bugs@gmail.com
push dateThu, 05 Jul 2018 21:47:40 +0000
reviewersjseward
bugs1472633
milestone63.0a1
Bug 1472633: Check that ref types exist when used as inline block types; r=jseward
js/src/jit-test/tests/wasm/gc/binary.js
js/src/wasm/WasmOpIter.h
--- a/js/src/jit-test/tests/wasm/gc/binary.js
+++ b/js/src/jit-test/tests/wasm/gc/binary.js
@@ -1,27 +1,46 @@
 if (!wasmGcEnabled()) {
     quit(0);
 }
 
 load(libdir + "wasm-binary.js");
 
+const v2vSig = {args:[], ret:VoidCode};
+const v2vSigSection = sigSection([v2vSig]);
+
+function checkInvalid(body, errorMessage) {
+    assertErrorMessage(() => new WebAssembly.Module(moduleWithSections([v2vSigSection, declSection([0]), bodySection([body])])), WebAssembly.CompileError, errorMessage);
+}
+
 const invalidRefNullBody = funcBody({locals:[], body:[
     RefNull,
     RefCode,
     0x42,
 
     RefNull,
     RefCode,
     0x10,
 
     // Condition code;
     I32ConstCode,
     0x10,
 
     SelectCode,
     DropCode
 ]});
+checkInvalid(invalidRefNullBody, /invalid nullref type/);
 
-const v2vSig = {args:[], ret:VoidCode};
-const v2vSigSection = sigSection([v2vSig]);
+const invalidRefBlockType = funcBody({locals:[], body:[
+    BlockCode,
+    RefCode,
+    0x42,
+    EndCode,
+]});
+checkInvalid(invalidRefBlockType, /invalid inline block type/);
 
-assertErrorMessage(() => new WebAssembly.Module(moduleWithSections([v2vSigSection, declSection([0]), bodySection([invalidRefNullBody])])), WebAssembly.CompileError, /invalid nullref type/);
+const invalidTooBigRefType = funcBody({locals:[], body:[
+    BlockCode,
+    RefCode,
+    varU32(1000000),
+    EndCode,
+]});
+checkInvalid(invalidTooBigRefType, /invalid inline block type/);
--- a/js/src/wasm/WasmOpIter.h
+++ b/js/src/wasm/WasmOpIter.h
@@ -1011,17 +1011,19 @@ OpIter<Policy>::readBlockType(ExprType* 
       case uint8_t(ExprType::I32x4):
       case uint8_t(ExprType::F32x4):
       case uint8_t(ExprType::B8x16):
       case uint8_t(ExprType::B16x8):
       case uint8_t(ExprType::B32x4):
         known = true;
         break;
       case uint8_t(ExprType::Ref):
-        known = env_.gcTypesEnabled == HasGcTypes::True;
+        known = env_.gcTypesEnabled == HasGcTypes::True &&
+                uncheckedRefTypeIndex < MaxTypes &&
+                uncheckedRefTypeIndex < env_.types.length();
         break;
       case uint8_t(ExprType::AnyRef):
         known = env_.gcTypesEnabled == HasGcTypes::True;
         break;
       case uint8_t(ExprType::Limit):
         break;
     }