[wasm] Fix decoding of bulk memory instructions

The following instructions are affected: memory.init, data.drop, table.init, table.drop. A segment index should be decoded as an unsigned number, but these instructions were decoding as signed. This works properly up to 63, but fails at 64 (which is decoded as -64 = 4294967232). Bug: v8:10151 Change-Id: I742b74cf0bcadf2ff2f606beb65b7bae3e816530 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2015960 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Ben Smith <binji@chromium.org> Cr-Commit-Position: refs/heads/master@{#65957}
2020-01-22 14:37:02 -08:00 · 2020-01-22 14:37:02 -08:00 · 91adb03843
commit 91adb03843
parent 5cfe053e45
2 changed files with 34 additions and 4 deletions
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@ -511,7 +511,7 @@ struct MemoryInitImmediate {
  inline MemoryInitImmediate(Decoder* decoder, const byte* pc) {
    uint32_t len = 0;
    data_segment_index =
-        decoder->read_i32v<validate>(pc + 2, &len, "data segment index");
+        decoder->read_u32v<validate>(pc + 2, &len, "data segment index");
    memory = MemoryIndexImmediate<validate>(decoder, pc + 1 + len);
    length = len + memory.length;
  }
@ -523,7 +523,7 @@ struct DataDropImmediate {
  unsigned length;

  inline DataDropImmediate(Decoder* decoder, const byte* pc) {
-    index = decoder->read_i32v<validate>(pc + 2, &length, "data segment index");
+    index = decoder->read_u32v<validate>(pc + 2, &length, "data segment index");
  }
 };

@ -550,7 +550,7 @@ struct TableInitImmediate {
  inline TableInitImmediate(Decoder* decoder, const byte* pc) {
    uint32_t len = 0;
    elem_segment_index =
-        decoder->read_i32v<validate>(pc + 2, &len, "elem segment index");
+        decoder->read_u32v<validate>(pc + 2, &len, "elem segment index");
    table = TableIndexImmediate<validate>(decoder, pc + 1 + len);
    length = len + table.length;
  }
@ -562,7 +562,7 @@ struct ElemDropImmediate {
  unsigned length;

  inline ElemDropImmediate(Decoder* decoder, const byte* pc) {
-    index = decoder->read_i32v<validate>(pc + 2, &length, "elem segment index");
+    index = decoder->read_u32v<validate>(pc + 2, &length, "elem segment index");
  }
 };

--- a/test/unittests/wasm/function-body-decoder-unittest.cc
+++ b/test/unittests/wasm/function-body-decoder-unittest.cc
@ -3153,6 +3153,20 @@ TEST_F(FunctionBodyDecoderTest, DataDrop) {
  ExpectFailure(sigs.v_v(), {WASM_DATA_DROP(1)});
 }

+TEST_F(FunctionBodyDecoderTest, DataSegmentIndexUnsigned) {
+  TestModuleBuilder builder;
+  builder.InitializeMemory();
+  builder.SetDataSegmentCount(65);
+  module = builder.module();
+
+  WASM_FEATURE_SCOPE(bulk_memory);
+  // Make sure that the index is interpreted as an unsigned number; 64 is
+  // interpreted as -64 when decoded as a signed LEB.
+  ExpectValidates(sigs.v_v(),
+                  {WASM_MEMORY_INIT(64, WASM_ZERO, WASM_ZERO, WASM_ZERO)});
+  ExpectValidates(sigs.v_v(), {WASM_DATA_DROP(64)});
+}
+
 TEST_F(FunctionBodyDecoderTest, MemoryCopy) {
  TestModuleBuilder builder;
  builder.InitializeMemory();
@ -3228,6 +3242,22 @@ TEST_F(FunctionBodyDecoderTest, ElemDrop) {
  ExpectFailure(sigs.v_v(), {WASM_ELEM_DROP(1)});
 }

+TEST_F(FunctionBodyDecoderTest, ElemSegmentIndexUnsigned) {
+  TestModuleBuilder builder;
+  builder.InitializeTable();
+  for (int i = 0; i < 65; ++i) {
+    builder.AddPassiveElementSegment();
+  }
+  module = builder.module();
+
+  WASM_FEATURE_SCOPE(bulk_memory);
+  // Make sure that the index is interpreted as an unsigned number; 64 is
+  // interpreted as -64 when decoded as a signed LEB.
+  ExpectValidates(sigs.v_v(),
+                  {WASM_TABLE_INIT(0, 64, WASM_ZERO, WASM_ZERO, WASM_ZERO)});
+  ExpectValidates(sigs.v_v(), {WASM_ELEM_DROP(64)});
+}
+
 TEST_F(FunctionBodyDecoderTest, TableCopy) {
  TestModuleBuilder builder;
  builder.InitializeTable();