Skip to content

Commit

Permalink
[Backport] Security bug 366635354
Browse files Browse the repository at this point in the history
Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5872631:
Merged: [wasm] Do not inline wrappers with 'ref extern' parameter type

This was introduced in https://crrev.com/c/4212394.

The wrapper would need to test for null and throw a type error but
doesn't do that correctly.
(The test case added only tested that a null check happens either in
the wrapper or in the cast instruction because the test case was trying
to test both cases without duplicating too much which was a bad design
choice.)

For simplicity, just disallow inlining of wrappers with parameters
typed 'ref extern'. (Users should use `externref` aka 'ref null extern'
instead anyways as the non-nullability doesn't add any benefits.)

(cherry picked from commit 3eee872739ac3523af126d7f25a623c18f5bee39)

Bug: 366635354
Change-Id: I58deec223e9c01c5292239eebee895febc880215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5872631
Auto-Submit: Matthias Liedtke <[email protected]>
Commit-Queue: Jakob Kummerow <[email protected]>
Reviewed-by: Jakob Kummerow <[email protected]>
Cr-Commit-Position: refs/branch-heads/13.0@{#2}
Cr-Branched-From: 4be854bd71ea878a25b236a27afcecffa2e29360-refs/heads/13.0.245@{#1}
Cr-Branched-From: 1f5183f7ad6cca21029fd60653d075730c644432-refs/heads/main@{#96103}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/597950
Reviewed-by: Michal Klocek <[email protected]>
  • Loading branch information
Liedtke authored and mibrunin committed Oct 21, 2024
1 parent 5ba02ae commit 75816c8
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions chromium/v8/src/compiler/js-call-reducer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3715,14 +3715,13 @@ bool CanInlineJSToWasmCall(const wasm::FunctionSig* wasm_signature) {
return false;
}

wasm::ValueType externRefNonNull = wasm::kWasmExternRef.AsNonNull();
for (auto type : wasm_signature->all()) {
#if defined(V8_TARGET_ARCH_32_BIT)
if (type == wasm::kWasmI64) return false;
#endif
if (type != wasm::kWasmI32 && type != wasm::kWasmI64 &&
type != wasm::kWasmF32 && type != wasm::kWasmF64 &&
type != wasm::kWasmExternRef && type != externRefNonNull) {
type != wasm::kWasmExternRef) {
return false;
}
}
Expand Down

0 comments on commit 75816c8

Please sign in to comment.