Bug 285505

Summary: Incorrect Index Validation in grow_memory Instruction
Product: WebKit Reporter: tombox1337
Component: WebAssemblyAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: d_degazio, keith_miller, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 277743    
Attachments:
Description Flags
program.js none

tombox1337
Reported 2025-01-07 02:33:10 PST
Created attachment 473821 [details] program.js ### Description WebKit does not correctly enforce validation for the `grow_memory` instruction in WebAssembly modules. ### Environment - OS: Ubuntu 20.04 - CPU: amd64 - WebKit Version: 146fa28a329d220785d2972c1d691555141e6406 - Commands: ```bash ./JSCOnly/Debug/bin/jsc ./program.js ``` ### Test Case program.js ### Current State ```plaintext ./JSCOnly/Debug/bin/jsc ./program.js Exception: CompileError: WebAssembly.Module doesn't parse at byte 5: reserved byte for grow_memory must be zero, in function at index 0 (evaluating 'new WebAssembly.Module(wasm_code)') Module@[native code] ``` ### Expected Behavior The WebAssembly module should fail validation and report an error similar to: - Like gecko-dev: ```plaintext memory index out of range for memory.grow ``` - Like v8: ```plaintext CompileError: WebAssembly.Module(): Compiling function #0 failed: memory index 2816 exceeds number of declared memories (1) ```
Attachments
program.js (236 bytes, text/plain)
2025-01-07 02:33 PST, tombox1337
no flags
David Degazio
Comment 1 2025-01-07 11:05:55 PST
It looks like we're still failing at validation time, just reporting a different error message? "must be zero" is more appropriate for WebKit at the moment than "out of range" because we do not yet support the WASM multi-memory proposal (tracked in https://bugs.webkit.org/show_bug.cgi?id=277743).
Radar WebKit Bug Importer
Comment 2 2025-01-07 11:06:18 PST
Yusuke Suzuki
Comment 3 2025-01-30 22:20:39 PST
multi-memory is not implemented.
Note You need to log in before you can comment on or make changes to this bug.