RESOLVED FIXED308792
Incorrect Maximum Value for WASM Element Section 
https://bugs.webkit.org/show_bug.cgi?id=308792
Summary Incorrect Maximum Value for WASM Element Section
tombox1337
Reported 2026-02-26 19:46:42 PST
Created attachment 478507 [details] test.js `jsc (JavaScriptCore)` fails to reject an invalid WebAssembly module. Specifically, the module contains an element segment with 10,000,001 entries, exceeding the specification maximum of 10,000,000 table entries in any table initialization. According to the WebAssembly specification, maximum number of table entries in any table initialization is 10,000,000. ### Environment * OS: Ubuntu 20.04 * CPU: amd64 * jsc (JavaScriptCore) version: `6bcc4ed97d73` * Commands: ```bash WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc test.js ``` ### Actual behavior `jsc (JavaScriptCore)` incorrectly accepts this invalid module (exit code 0). The output is: ``` 42 ``` ### Expected behavior The runtime should reject this module during validation because the module violates the specification. For reference, `js (SpiderMonkey)` correctly rejects it (exit code 3): ``` CompileError: at offset 50: too many elements in element segment Stack: @/tmp/spec_limits/max_table_entries_in_any_table_initialization_negative_gecko.js:2:19 ```
Attachments
test.js (19.07 MB, application/x-javascript)
2026-02-26 19:46 PST, tombox1337 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-02-26 19:46:48 PST
<rdar://problem/171324747>
Shu-yu Guo
Comment 2 2026-02-27 17:51:37 PST
It is not a security issue if we do not adhere to an arbitrarily determined spec limit.
Shu-yu Guo
Comment 3 2026-02-27 17:56:35 PST
Pull request: https://github.com/WebKit/WebKit/pull/59627
EWS
Comment 4 2026-03-02 10:22:10 PST
Committed 308473@main (3e5413522e4c): <https://commits.webkit.org/308473@main> Reviewed commits have been landed. Closing PR #59627 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.