Open Bug 1787770 Opened 3 years ago Updated 3 years ago

Webassembly can't import some global functions in content script

Categories

(Core :: JavaScript: WebAssembly, defect, P3)

Product:
Core
Component:
JavaScript: WebAssembly
Version:
Firefox 103
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: nikita6, Unassigned)

Details

Attachments

(2 files)

Webextension reproducing the issue - wasm-ff-repro.zip
939 bytes, application/zip
Details
WIP: Bug 1787770 - Allow callable proxy object in wasm imports.
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0

Steps to reproduce:

Run this snippet in context of webextension content script

WebAssembly.instantiate(Uint8Array.from([0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x04, 0x01, 0x60, 0x00, 0x00, 0x02, 0x0d, 0x01, 0x04, 0x74, 0x65, 0x73, 0x74, 0x04, 0x66, 0x75, 0x6e, 0x63, 0x00, 0x00]), {test: { func: clearTimeout }}).then(v => console.log('ok', v))

Wasm module is just importing one function:

(module (import "test" "func" (func $log (param))))

clearTimeout is not the only function that triggers the bug, setTimeout, clearInterval also work, possibly more

Actual results:

Wasm could not import the global clearTimeout function, an error was raised:

LinkError: import object field 'func' is not a Function

Expected results:

Wasm module should have been able to import this function and instantiate without errors (this is what actually happens in most contexts like usual web page or a background worker). It also works this way in chrome

The problem also goes away if I use .bind(undefined) on the function object or refer to it as window.clearTimeout

The Bugbug bot thinks this bug should belong to the 'Core::JavaScript: WebAssembly' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → JavaScript: WebAssembly
Product: Firefox → Core

The severity field is not set for this bug.
:rhunt, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(rhunt)

I briefly looked at this and lost track of it. My guess here is that globals in content scripts are getting wrapped in some wrapper object for security reasons (protecting content scripts from malicious web pages). This would make instantiation fail when the import is not a JSFunction, but a wrapper around one.

I wasn't able to figure out what sort wrapper object it is though, so I'm not sure the correct way to unwrap it to get the original object.

Flags: needinfo?(rhunt)
Severity: -- → S3
Priority: -- → P3

The clearTimeout is created as a callable Proxy object. Looking at spec https://webassembly.github.io/spec/js-api/index.html#run-a-host-function , we need to change logic to include IsCallable() JS values as a possible imported function.

Minimal test for jsshell:

var f = new Proxy(function(i) { console.log(i); }, {})
WebAssembly.instantiate(Uint8Array.from([0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x04, 0x01, 0x60, 0x00, 0x00, 0x02, 0x0d, 0x01, 0x04, 0x74, 0x65, 0x73, 0x74, 0x04, 0x66, 0x75, 0x6e, 0x63, 0x00, 0x00]), {test: { func: f }})
  .then(v => console.log('ok', v), ex => console.log('fail', ex.message));
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Duplicate of bug: 1815219
Resolution: --- → DUPLICATE

Bug 1815219 actually doesn't handle the CCW case.

Status: RESOLVED → REOPENED
No longer duplicate of bug: 1815219
Ever confirmed: true
Resolution: DUPLICATE → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: