[wasm] Fix decoding of bulk memory instructions

The following instructions are affected: memory.init, data.drop,
table.init, table.drop. A segment index should be decoded as an unsigned
number, but these instructions were decoding as signed. This works
properly up to 63, but fails at 64 (which is decoded as -64 =
4294967232).

Bug: v8:10151
Change-Id: I742b74cf0bcadf2ff2f606beb65b7bae3e816530
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2015960
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65957}
This commit is contained in:
Ben Smith 2020-01-22 14:37:02 -08:00 committed by Commit Bot
parent 5cfe053e45
commit 91adb03843
2 changed files with 34 additions and 4 deletions

View File

@ -511,7 +511,7 @@ struct MemoryInitImmediate {
inline MemoryInitImmediate(Decoder* decoder, const byte* pc) {
uint32_t len = 0;
data_segment_index =
decoder->read_i32v<validate>(pc + 2, &len, "data segment index");
decoder->read_u32v<validate>(pc + 2, &len, "data segment index");
memory = MemoryIndexImmediate<validate>(decoder, pc + 1 + len);
length = len + memory.length;
}
@ -523,7 +523,7 @@ struct DataDropImmediate {
unsigned length;
inline DataDropImmediate(Decoder* decoder, const byte* pc) {
index = decoder->read_i32v<validate>(pc + 2, &length, "data segment index");
index = decoder->read_u32v<validate>(pc + 2, &length, "data segment index");
}
};
@ -550,7 +550,7 @@ struct TableInitImmediate {
inline TableInitImmediate(Decoder* decoder, const byte* pc) {
uint32_t len = 0;
elem_segment_index =
decoder->read_i32v<validate>(pc + 2, &len, "elem segment index");
decoder->read_u32v<validate>(pc + 2, &len, "elem segment index");
table = TableIndexImmediate<validate>(decoder, pc + 1 + len);
length = len + table.length;
}
@ -562,7 +562,7 @@ struct ElemDropImmediate {
unsigned length;
inline ElemDropImmediate(Decoder* decoder, const byte* pc) {
index = decoder->read_i32v<validate>(pc + 2, &length, "elem segment index");
index = decoder->read_u32v<validate>(pc + 2, &length, "elem segment index");
}
};

View File

@ -3153,6 +3153,20 @@ TEST_F(FunctionBodyDecoderTest, DataDrop) {
ExpectFailure(sigs.v_v(), {WASM_DATA_DROP(1)});
}
TEST_F(FunctionBodyDecoderTest, DataSegmentIndexUnsigned) {
TestModuleBuilder builder;
builder.InitializeMemory();
builder.SetDataSegmentCount(65);
module = builder.module();
WASM_FEATURE_SCOPE(bulk_memory);
// Make sure that the index is interpreted as an unsigned number; 64 is
// interpreted as -64 when decoded as a signed LEB.
ExpectValidates(sigs.v_v(),
{WASM_MEMORY_INIT(64, WASM_ZERO, WASM_ZERO, WASM_ZERO)});
ExpectValidates(sigs.v_v(), {WASM_DATA_DROP(64)});
}
TEST_F(FunctionBodyDecoderTest, MemoryCopy) {
TestModuleBuilder builder;
builder.InitializeMemory();
@ -3228,6 +3242,22 @@ TEST_F(FunctionBodyDecoderTest, ElemDrop) {
ExpectFailure(sigs.v_v(), {WASM_ELEM_DROP(1)});
}
TEST_F(FunctionBodyDecoderTest, ElemSegmentIndexUnsigned) {
TestModuleBuilder builder;
builder.InitializeTable();
for (int i = 0; i < 65; ++i) {
builder.AddPassiveElementSegment();
}
module = builder.module();
WASM_FEATURE_SCOPE(bulk_memory);
// Make sure that the index is interpreted as an unsigned number; 64 is
// interpreted as -64 when decoded as a signed LEB.
ExpectValidates(sigs.v_v(),
{WASM_TABLE_INIT(0, 64, WASM_ZERO, WASM_ZERO, WASM_ZERO)});
ExpectValidates(sigs.v_v(), {WASM_ELEM_DROP(64)});
}
TEST_F(FunctionBodyDecoderTest, TableCopy) {
TestModuleBuilder builder;
builder.InitializeTable();