Bug 308792

Summary: Incorrect Maximum Value for WASM Element Section
Product: WebKit Reporter: tombox1337
Component: JavaScriptCoreAssignee: Shu-yu Guo <syg>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, syg, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
test.js none

tombox1337
Reported 2026-02-26 19:46:42 PST
Created attachment 478507 [details] test.js `jsc (JavaScriptCore)` fails to reject an invalid WebAssembly module. Specifically, the module contains an element segment with 10,000,001 entries, exceeding the specification maximum of 10,000,000 table entries in any table initialization. According to the WebAssembly specification, maximum number of table entries in any table initialization is 10,000,000. ### Environment * OS: Ubuntu 20.04 * CPU: amd64 * jsc (JavaScriptCore) version: `6bcc4ed97d73` * Commands: ```bash WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc test.js ``` ### Actual behavior `jsc (JavaScriptCore)` incorrectly accepts this invalid module (exit code 0). The output is: ``` 42 ``` ### Expected behavior The runtime should reject this module during validation because the module violates the specification. For reference, `js (SpiderMonkey)` correctly rejects it (exit code 3): ``` CompileError: at offset 50: too many elements in element segment Stack: @/tmp/spec_limits/max_table_entries_in_any_table_initialization_negative_gecko.js:2:19 ```
Attachments
test.js (19.07 MB, application/x-javascript)
2026-02-26 19:46 PST, tombox1337 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-02-26 19:46:48 PST
<rdar://problem/171324747>
Shu-yu Guo
Comment 2 2026-02-27 17:51:37 PST
It is not a security issue if we do not adhere to an arbitrarily determined spec limit.
Shu-yu Guo
Comment 3 2026-02-27 17:56:35 PST
Pull request: https://github.com/WebKit/WebKit/pull/59627
EWS
Comment 4 2026-03-02 10:22:10 PST
Committed 308473@main (3e5413522e4c): <https://commits.webkit.org/308473@main> Reviewed commits have been landed. Closing PR #59627 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.