Google Git
Sign in
webkit / WebKit / e146947e3de2db01460172509f724ad9a1d99ced^! / .
commite146947e3de2db01460172509f724ad9a1d99ced[log] [tgz]
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Oct 16 21:51:38 2019 +0000
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Oct 16 21:51:38 2019 +0000
treeab06f02e57864419a2df1885e497b1eba33e7f05
parent208c91fe7c5e2848f0c13a760e2934fc09af53da [diff]
Move assert in Wasm::Plan::fail.
https://bugs.webkit.org/show_bug.cgi?id=203052

Reviewed by Mark Lam.

JSTests:

* wasm/regress/wasm-plan-fail-bad-error-message-assert.js: Added.
(Binary):
(Binary.prototype.trunc_buffer):
(Binary.prototype.emit_leb_u):
(Binary.prototype.emit_u32v):
(Binary.prototype.emit_bytes):
(Binary.prototype.emit_header):
(__f_576):
(__f_587):

Source/JavaScriptCore:

Since we changed how Wasm::Plan interacts with the streaming
parser it's possible for the streaming parser to call fail with no
error message (because the corresponding Wasm::Plan already
failed). This patch moves an erroneous assert so it no longer
trips when this happens.

* wasm/WasmPlan.cpp:
(JSC::Wasm::Plan::fail):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@251209 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index a93d49f..3b589f8 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog

@@ -1,3 +1,20 @@
+2019-10-16  Keith Miller  <keith_miller@apple.com>
+
+        Move assert in Wasm::Plan::fail.
+        https://bugs.webkit.org/show_bug.cgi?id=203052
+
+        Reviewed by Mark Lam.
+
+        * wasm/regress/wasm-plan-fail-bad-error-message-assert.js: Added.
+        (Binary):
+        (Binary.prototype.trunc_buffer):
+        (Binary.prototype.emit_leb_u):
+        (Binary.prototype.emit_u32v):
+        (Binary.prototype.emit_bytes):
+        (Binary.prototype.emit_header):
+        (__f_576):
+        (__f_587):
+
 2019-10-15  Mark Lam  <mark.lam@apple.com>
 
         operationSwitchCharWithUnknownKeyType failed to handle OOME when resolving rope string.

diff --git a/JSTests/wasm/regress/wasm-plan-fail-bad-error-message-assert.js b/JSTests/wasm/regress/wasm-plan-fail-bad-error-message-assert.js
new file mode 100644
index 0000000..6f0eedf
--- /dev/null
+++ b/JSTests/wasm/regress/wasm-plan-fail-bad-error-message-assert.js

@@ -0,0 +1,55 @@
+// From oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17976
+
+var kWasmH0 = 0;
+var kWasmH1 = 0x61;
+var kWasmH2 = 0x73;
+var kWasmH3 = 0x6d;
+var kWasmV0 = 0x1;
+var kWasmV1 = 0;
+var kWasmV2 = 0;
+var kWasmV3 = 0;
+let kTypeSectionCode = 1;
+let kFunctionSectionCode = 3;
+let kCodeSectionCode = 10;
+let kWasmFunctionTypeForm = 0x60;
+class Binary {
+  constructor() {
+    this.length = 0;
+    this.buffer = new Uint8Array(8192);
+  }
+  trunc_buffer() {
+    return new Uint8Array(this.buffer.buffer, 0, this.length);
+  }
+  emit_leb_u() {
+
+        this.buffer[this.length++] = v;
+        return;
+  }
+  emit_u32v() {
+    this.emit_leb_u();
+  }
+  emit_bytes(data) {
+    this.buffer.set(data, this.length);
+    this.length += data.length;
+  }
+  emit_header() {
+    this.emit_bytes([kWasmH0, kWasmH1, kWasmH2, kWasmH3, kWasmV0, kWasmV1, kWasmV2, kWasmV3]);
+  }
+
+}
+function __f_576(__v_2078) {
+    WebAssembly.compile(__v_2078.trunc_buffer())
+}
+  (function __f_587() {
+    let __v_2099 = new Binary();
+
+      __v_2099.emit_header()
+      __v_2099.emit_bytes([kTypeSectionCode, 4, 1, kWasmFunctionTypeForm, 0, 0])
+      __v_2099.emit_bytes([kFunctionSectionCode, 2, 1, 0])
+      __v_2099.emit_bytes([kCodeSectionCode, 20, 1])
+    try {
+      __v_2099.emit_u32v();
+    } catch (e) {}
+      __f_576(__v_2099,
+ 'testBodySizeIsZero')
+  })();

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 5da62fa..0820223 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,5 +1,21 @@
 2019-10-16  Keith Miller  <keith_miller@apple.com>
 
+        Move assert in Wasm::Plan::fail.
+        https://bugs.webkit.org/show_bug.cgi?id=203052
+
+        Reviewed by Mark Lam.
+
+        Since we changed how Wasm::Plan interacts with the streaming
+        parser it's possible for the streaming parser to call fail with no
+        error message (because the corresponding Wasm::Plan already
+        failed). This patch moves an erroneous assert so it no longer
+        trips when this happens.
+
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::fail):
+
+2019-10-16  Keith Miller  <keith_miller@apple.com>
+
         checkConsistency in Air O0 should only run when validation is enabled
         https://bugs.webkit.org/show_bug.cgi?id=203050
 

diff --git a/Source/JavaScriptCore/wasm/WasmPlan.cpp b/Source/JavaScriptCore/wasm/WasmPlan.cpp
index 8e1b9ce..1ed6cff 100644
--- a/Source/JavaScriptCore/wasm/WasmPlan.cpp
+++ b/Source/JavaScriptCore/wasm/WasmPlan.cpp

@@ -130,9 +130,9 @@
 
 void Plan::fail(const AbstractLocker& locker, String&& errorMessage)
 {
-    ASSERT(errorMessage);
     if (failed())
         return;
+    ASSERT(errorMessage);
     dataLogLnIf(WasmPlanInternal::verbose, "failing with message: ", errorMessage);
     m_errorMessage = WTFMove(errorMessage);
     complete(locker);