[wasm-gc] Disallow forward-declared supertypes

For backwards compatibility, we do not impose this restriction on nominal modules. Bug: v8:7748 Change-Id: I42c4dc824fc9824280527522b05fa3bf68c8929b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3422638 Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#78868}
2022-01-31 13:11:44 +00:00 · 2022-01-31 13:11:44 +00:00 · 1b3945d8ce
commit 1b3945d8ce
parent dfef68d0b7
2 changed files with 24 additions and 5 deletions
--- a/src/wasm/module-decoder.cc
+++ b/src/wasm/module-decoder.cc
@ -582,6 +582,15 @@ class ModuleDecoderImpl : public Decoder {
    }
  }

+  bool check_supertype(uint32_t supertype) {
+    if (V8_UNLIKELY(supertype >= module_->types.size())) {
+      errorf(pc(), "type %zu: forward-declared supertype %d",
+             module_->types.size(), supertype);
+      return false;
+    }
+    return true;
+  }
+
  TypeDefinition consume_nominal_type_definition() {
    DCHECK(enabled_features_.has_gc());
    size_t num_types = module_->types.size();
@ -650,11 +659,7 @@ class ModuleDecoderImpl : public Decoder {
          consume_count("supertype count", kMaximumSupertypes);
      uint32_t supertype =
          supertype_count == 1 ? consume_u32v("supertype") : kNoSuperType;
-      if (V8_UNLIKELY(supertype >= module_->types.capacity())) {
-        errorf(pc(), "type %zu: invalid supertype %d", module_->types.size(),
-               supertype);
-        return {};
-      }
+      if (!check_supertype(supertype)) return {};
      TypeDefinition type = consume_base_type_definition();
      type.supertype = supertype;
      return type;
@ -736,6 +741,8 @@ class ModuleDecoderImpl : public Decoder {
        errorf("type %d: subtyping depth is greater than allowed", i);
        continue;
      }
+      // TODO(7748): Replace this with a DCHECK once we reject inheritance
+      // cycles for nominal modules.
      if (depth == -1) {
        errorf("type %d: cyclic inheritance", i);
        continue;
--- a/test/unittests/wasm/module-decoder-unittest.cc
+++ b/test/unittests/wasm/module-decoder-unittest.cc
@ -3363,6 +3363,18 @@ TEST_F(WasmModuleVerifyTest, OutOfBoundsTypeInType) {
  EXPECT_NOT_OK(result, "Type index 1 is out of bounds");
 }

+// TODO(7748): Add support for rec. groups.
+TEST_F(WasmModuleVerifyTest, ForwardSupertype) {
+  WASM_FEATURE_SCOPE(typed_funcref);
+  WASM_FEATURE_SCOPE(gc);
+  static const byte data[] = {
+      SECTION(Type, ENTRY_COUNT(1), kWasmRecursiveTypeGroupCode, ENTRY_COUNT(1),
+              kWasmSubtypeCode, ENTRY_COUNT(1), 0,
+              WASM_STRUCT_DEF(FIELD_COUNT(1), STRUCT_FIELD(kRefCode, true)))};
+  ModuleResult result = DecodeModule(data, data + sizeof(data));
+  EXPECT_NOT_OK(result, "type 0: forward-declared supertype 0");
+}
+
 TEST_F(WasmModuleVerifyTest, IllegalPackedFields) {
  WASM_FEATURE_SCOPE(gc);
  WASM_FEATURE_SCOPE(typed_funcref);