mirrors/ladybird
0
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2025-09-21 08:48:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

LibWasm: Fix memory.fill ignoring memory index and unsafe bounds check
Some checks are pending
CI / macOS, arm64, Sanitizer, Clang (push) Waiting to run
Details
CI / Linux, x86_64, Fuzzers, Clang (push) Waiting to run
Details
CI / Linux, x86_64, Sanitizer, GNU (push) Waiting to run
Details
CI / Linux, x86_64, Sanitizer, Clang (push) Waiting to run
Details
Package the js repl as a binary artifact / Linux, arm64 (push) Waiting to run
Details
Package the js repl as a binary artifact / macOS, arm64 (push) Waiting to run
Details
Package the js repl as a binary artifact / Linux, x86_64 (push) Waiting to run
Details
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Details
Lint Code / lint (push) Waiting to run
Details
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Details
Push notes / build (push) Waiting to run
Details

Browse source 
Previously, the memory.fill instruction always wrote to memory 0,
ignoring the selected memory index. This caused incorrect behavior
in multi-memory modules (e.g. filling mem0 instead of mem1).
Additionally, the bounds check used `destination_offset + count`
without overflow checking, which could wrap and bypass validation.

This patch:
- Passes `args.memory_index` into store_to_memory, so the correct
  memory is filled.
- Uses Checked<u32> for destination_offset + count, consistent
  with memory.copy and memory.init, to prevent overflow.

Minimal repro:

    (module
      (memory $m0 1)
      (memory $m1 1)

      (func (export "go") (result i32)
        ;; Fill mem1[0] with 0xAA
        i32.const 0
        i32.const 170
        i32.const 1
        memory.fill (memory 1)

        ;; Return (mem1[0] << 8) | mem0[0]
        i32.const 0
        i32.load8_u (memory 1)
        i32.const 8
        i32.shl
        i32.const 0
        i32.load8_u (memory 0)
        i32.or
      )
    )

Before fix: returns 170 (0x00AA).
After fix:  returns 43520 (0xAA00).
This commit is contained in:
Pavel Shliak 2025-09-06 01:54:05 +04:00 committed by Ali Mohammad Pur
commit a125bc97c4
Notes: github-actions[bot] 2025-09-06 06:52:12 +00:00
3 changed files with 16 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Libraries/LibWasm/AbstractMachine/BytecodeInterpreter.cpp
View file

@ -469,13 +469,16 @@ void BytecodeInterpreter::interpret_impl(Configuration& configuration, Expressio
u8 value = static_cast<u8>(configuration.take_source(1, addresses.sources).to<u32>());
auto destination_offset = configuration.take_source(2, addresses.sources).to<u32>();
TRAP_IN_LOOP_IF_NOT(static_cast<size_t>(destination_offset + count) <= instance->data().size());
Checked<u32> checked_end = destination_offset;
checked_end += count;
TRAP_IN_LOOP_IF_NOT(!checked_end.has_overflow() && static_cast<size_t>(checked_end.value()) <= instance->data().size());
if (count == 0)
RUN_NEXT_INSTRUCTION();
Instruction::MemoryArgument memarg { 0, 0, args.memory_index };
for (u32 i = 0; i < count; ++i) {
if (store_to_memory(configuration, Instruction::MemoryArgument { 0, 0 }, { &value, sizeof(value) }, destination_offset + i))
if (store_to_memory(configuration, memarg, { &value, sizeof(value) }, destination_offset + i))
return;
}

11
Libraries/LibWasm/Tests/Executor/test-memfill-memidx.js Normal file
View file

@ -0,0 +1,11 @@
test("memfill executes and returns expected result", () => {
const bin = readBinaryWasmFile("Fixtures/Modules/memfill-memidx.wasm");
const module = parseWebAssemblyModule(bin);
const go = module.getExport("go");
const result = module.invoke(go);
// mem1[0]=0xAA, mem0[0]=0x00 → 0xAA00 = 43520
expect(result).toBe(43520);
});

BIN
Libraries/LibWasm/Tests/Fixtures/Modules/memfill-memidx.wasm Normal file
View file

Binary file not shown.