Missing Validation for Element Segment Initialization
Categories
(Core :: JavaScript: WebAssembly, defect)
Tracking
()
People
(Reporter: tombox1337, Unassigned)
Details
Attachments
(1 file)
416 bytes,
application/x-javascript
|
Details |
Steps to reproduce:
Description
gecko-dev
does not enforce the restriction that element segment initializers can only reference imported globals. According to the WebAssembly specification, globals are not recursive and cannot be accessed within constant expressions when they are defined locally, affecting the initialization of element segments.
Environment
- OS: Ubuntu 20.04
- CPU: amd64
- Version: 047a913194120e9f4b3d86abfa670cbe7846a022
Steps to Reproduce
Run the following WebAssembly module:
/gecko-dev/obj-debug-x86_64-pc-linux-gnu/dist/bin/js ./program.js
Output
(no error or warning)
Expected Behavior
Per the WebAssembly specification, element segment initializers should only be able to reference imported globals. If a locally defined global is accessed, the module should fail validation with an error similar to:
initializer expression can only reference an imported global
Comment 1•29 days ago
|
||
That is true of the wasm 1.0 spec, but wasm 3.0 relaxed this requirement and this is now valid. Specifically this happened in the Wasm GC proposal [1]. Note that the element section comes after the global section, and so it can access all the globals defined there. The only restriction we have now is that they must be immutable.
[1] https://webassembly.github.io/gc/core/valid/modules.html#globals
Description
•