Bug 286294

Summary: Missing Validation for Function Index in branch_hint Section
Product: WebKit Reporter: tombox1337
Component: WebAssemblyAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: daniel_liu4, d_degazio, keith_miller, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
program.js none

tombox1337
Reported 2025-01-21 06:54:09 PST
Created attachment 473966 [details] program.js ### Description WebKit does not enforce validation checks for invalid function indices within the branch_hint section. ### Environment - OS: Ubuntu 20.04 - CPU: amd64 - WebKit Version: 146fa28a329d220785d2972c1d691555141e6406 ### Steps to Reproduce Run the following WebAssembly module: ``` ./JSCOnly/Debug/bin/jsc ./program.js ``` ### Current State ```plaintext (no error or warning) ``` ### Expected Behavior The branch_hint section should be properly validated, ensuring that any references such as function indexes are checked against the defined or imported functions. If an invalid index is encountered, a validation error should occur before execution, such as: ``` error: invalid function index 140971 ```
Attachments
program.js (904 bytes, application/x-javascript)
2025-01-21 06:54 PST, tombox1337 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-01-28 06:55:13 PST
<rdar://problem/143757115>
Yusuke Suzuki
Comment 2 2025-01-29 13:42:19 PST
Can you point out the spec text describing this validation?
Yusuke Suzuki
Comment 3 2025-02-07 18:09:37 PST
This is not specified, and tolerant handling is better.
Note You need to log in before you can comment on or make changes to this bug.