tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit db28ba0d29566932ba39d6bfce851ca8aa735646
parent 06ee928e276b7e33c22e0d52f0a2915596990310
Author: Julien Pages <jpages@mozilla.com>
Date:   Mon, 20 Oct 2025 21:45:15 +0000

Bug 1992316 - Bad error handling when the validation of an asm.js module fails. r=rhunt

Differential Revision: https://phabricator.services.mozilla.com/D268062

Diffstat:

Ajs/src/jit-test/tests/asm.js/bug1992316.js | 55+++++++++++++++++++++++++++++++++++++++++++++++++++++++


Mjs/src/wasm/AsmJS.cpp | 8+++++++-


2 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/js/src/jit-test/tests/asm.js/bug1992316.js b/js/src/jit-test/tests/asm.js/bug1992316.js
@@ -0,0 +1,55 @@
+// |jit-test| skip-if: !isAsmJSCompilationAvailable()
+
+// Generate a function with many parameters and local variables.
+// We want to test the limits and this module should fail validation.
+function build_asm_code(num_params, num_locals_decl_extra) {
+  let params = [];
+  let param_annots = [];
+  for (let i = 0; i < num_params; ++i) {
+    params.push(`p${i}`);
+    param_annots.push(`  p${i} = p${i} | 0;`);
+  }
+  let local_inits = [];
+  local_inits.push(`x = 0`);
+  for (let i = 0; i < num_locals_decl_extra; ++i) {
+    let name = `l${i}`;
+    local_inits.push(`${name} = 0`);
+  }
+  if (local_inits.length > 0) {
+    local_decl = `  var ${local_inits.join()};`;
+  }
+  const body = `
+    x = p0 | 0;
+    switch (x | 0) {
+      case 0:
+        return 1;
+      case 1:
+        return 2;
+      default:
+        return 3;
+    }
+    return 0;
+  `;
+  const code = `
+function Module(stdlib, foreign, buffer) {
+  "use asm";
+  // No stdlib imports needed
+
+  // Function 'f' with specified parameters and locals
+  function f(${params.join()}) {
+    ${param_annots.join("")}
+    ${local_decl}
+    ${body}
+  }
+
+  // Export function 'f'
+  return { f: f };
+}
+`;
+  return code;
+}
+const num_params = 10;
+const num_locals_decl_extra = 49997;
+const code = build_asm_code(num_params, num_locals_decl_extra);
+
+const module = eval(`(${code})`);
diff --git a/js/src/wasm/AsmJS.cpp b/js/src/wasm/AsmJS.cpp
@@ -2195,8 +2195,14 @@ class MOZ_STACK_CLASS ModuleValidator : public ModuleValidatorShared {
       return nullptr;
     }
 
+    // We must give the generator a reference to an error to fill in. We don't
+    // use it ourselves though because the only error we should get is for
+    // implementation limits like 'stack frame too big' which we couldn't guard
+    // against ahead of time. Returning nullptr is the right thing to do in
+    // these cases.
+    UniqueChars error;
     ModuleGenerator mg(*codeMeta_, compilerEnv_, compilerEnv_.initialState(),
-                       nullptr, nullptr, nullptr);
+                       nullptr, &error, nullptr);
     if (!mg.initializeCompleteTier(codeMetaForAsmJS_.get())) {
       return nullptr;
     }