Bug 1668375 - wasm: Decode ref.null in element segments as heap type.…

… r=lth Because we special case the decoding code for element segments, the change to use heap types for ref.null wasn't propagated from OpIter. We should decode as a heap type here. Differential Revision: https://phabricator.services.mozilla.com/D91997
mozilla · Oct 5, 2020 · 0cdf64b · 0cdf64b
1 parent fb950b7
commit 0cdf64b
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 1 deletion.
diff --git a/js/src/jit-test/lib/wasm-binary.js b/js/src/jit-test/lib/wasm-binary.js
@@ -374,6 +374,20 @@ function dataCountSection(count) {
     return { name: dataCountId, body };
 }
 
+function globalSection(globalArray) {
+    var body = [];
+    body.push(...varU32(globalArray.length));
+    for (let globalObj of globalArray) {
+        // Value type
+        body.push(...varU32(globalObj.valType));
+        // Flags
+        body.push(globalObj.flags & 255);
+        // Initializer expression
+        body.push(...globalObj.initExpr);
+    }
+    return { name: globalId, body };
+}
+
 function elemSection(elemArrays) {
     var body = [];
     body.push(...varU32(elemArrays.length));

diff --git a/js/src/jit-test/tests/wasm/function-references/binary.js b/js/src/jit-test/tests/wasm/function-references/binary.js
@@ -0,0 +1,52 @@
+// |jit-test| skip-if: !wasmFunctionReferencesEnabled()
+
+load(libdir + "wasm-binary.js");
+
+const v2vSig = {args:[], ret:VoidCode};
+const v2vSigSection = sigSection([v2vSig]);
+
+function checkInvalid(binary, errorMessage) {
+    assertErrorMessage(() => new WebAssembly.Module(binary),
+        WebAssembly.CompileError,
+        errorMessage);
+}
+
+// The immediate of ref.null is a heap type, not a general reference type
+
+const invalidRefNullHeapBody = moduleWithSections([
+    v2vSigSection,
+    declSection([0]),
+    bodySection([
+        funcBody({locals:[], body:[
+            RefNullCode,
+            OptRefCode,
+            AnyFuncCode,
+            DropCode,
+        ]})
+    ])
+]);
+checkInvalid(invalidRefNullHeapBody, /invalid heap type/);
+
+const invalidRefNullHeapElem = moduleWithSections([
+    generalElemSection([
+        {
+            flag: PassiveElemExpr,
+            typeCode: AnyFuncCode,
+            elems: [
+                [RefNullCode, OptRefCode, AnyFuncCode, EndCode]
+            ]
+        }
+    ])
+]);
+checkInvalid(invalidRefNullHeapElem, /invalid heap type/);
+
+const invalidRefNullHeapGlobal = moduleWithSections([
+    globalSection([
+        {
+            valType: AnyFuncCode,
+            flag: 0,
+            initExpr: [RefNullCode, OptRefCode, AnyFuncCode, EndCode]
+        }
+    ])
+]);
+checkInvalid(invalidRefNullHeapGlobal, /invalid heap type/);
diff --git a/js/src/wasm/WasmValidate.cpp b/js/src/wasm/WasmValidate.cpp
@@ -2770,7 +2770,7 @@ static bool DecodeElemSection(Decoder& d, ModuleEnvironment* env) {
             initType = RefType::func();
             break;
           case uint16_t(Op::RefNull):
-            if (!d.readRefType(env->types, env->features, &initType)) {
+            if (!d.readHeapType(env->types, env->features, true, &initType)) {
               return false;
             }
             needIndex = false;