Closed Bug 1940984 Opened 29 days ago Closed 29 days ago

Missing Validation for Element Segment Initialization

Categories

(Core :: JavaScript: WebAssembly, defect)

Firefox 136
defect

Tracking

()

RESOLVED INVALID

People

(Reporter: tombox1337, Unassigned)

Details

Attachments

(1 file)

416 bytes, application/x-javascript
Details
Attached file program.js

Steps to reproduce:

Description

gecko-dev does not enforce the restriction that element segment initializers can only reference imported globals. According to the WebAssembly specification, globals are not recursive and cannot be accessed within constant expressions when they are defined locally, affecting the initialization of element segments.

Environment

  • OS: Ubuntu 20.04
  • CPU: amd64
  • Version: 047a913194120e9f4b3d86abfa670cbe7846a022

Steps to Reproduce

Run the following WebAssembly module:

/gecko-dev/obj-debug-x86_64-pc-linux-gnu/dist/bin/js ./program.js

Output


(no error or warning)

Expected Behavior

Per the WebAssembly specification, element segment initializers should only be able to reference imported globals. If a locally defined global is accessed, the module should fail validation with an error similar to:

initializer expression can only reference an imported global

That is true of the wasm 1.0 spec, but wasm 3.0 relaxed this requirement and this is now valid. Specifically this happened in the Wasm GC proposal [1]. Note that the element section comes after the global section, and so it can access all the globals defined there. The only restriction we have now is that they must be immutable.

[1] https://webassembly.github.io/gc/core/valid/modules.html#globals

Status: UNCONFIRMED → RESOLVED
Closed: 29 days ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: