Summary: | WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Alon Zakai <alonzakai> | ||||||||||||
Component: | JavaScriptCore | Assignee: | JF Bastien <jfbastien> | ||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||
Severity: | Normal | CC: | bfulgham, buildbot, commit-queue, jfbastien, keith_miller, mark.lam, msaboff, product-security, saam, webkit-bug-importer | ||||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||||
Version: | WebKit Nightly Build | ||||||||||||||
Hardware: | Unspecified | ||||||||||||||
OS: | Linux | ||||||||||||||
Attachments: |
|
Description
Alon Zakai
2017-08-17 16:08:53 PDT
Created attachment 318434 [details]
wasm file
I believe this is a benign bug because unreachable code shouldn't occur anyways. It's still a bug we should fix, though. It looks like the i64.const causing the issue is: 42 80 80 80 80 80 80 80 80 80 | i64.const -9223372036854775808 Well this is our bug: // one immediate cases case I32Const: case I64Const: // <------ derp case SetLocal: case GetLocal: case TeeLocal: case GetGlobal: case SetGlobal: case Br: case BrIf: case Call: { uint32_t unused; WASM_PARSER_FAIL_IF(!parseVarUInt32(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context"); return { }; } This is benign, not a security issue. Created attachment 318440 [details]
patch
Comment on attachment 318440 [details]
patch
please add test
Created attachment 318443 [details]
patch
Add test, and also handle i32.const / i64.const as signed.
Comment on attachment 318443 [details] patch Rejecting attachment 318443 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 318443, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in JSTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/4333352 Created attachment 318444 [details]
patch
Fix OOPS.
The commit-queue encountered the following flaky tests while processing attachment 318444 [details]: svg/animations/smil-leak-list-property-instances.svg bug 175701 (author: sabouhallawa@apple.com) The commit-queue is continuing to process your patch. Comment on attachment 318444 [details] patch Clearing flags on attachment: 318444 Committed r220894: <http://trac.webkit.org/changeset/220894> All reviewed patches have been landed. Closing bug. |