[wasm] Return immediately if code generation is not allowed

gahaas · Commit Bot · commit cecd2ed5b7ce · 2018-09-11T13:15:20.000Z
There was a bug in WebAssembly.instantiate in the case where a CSP disallows WebAssembly compilation. In this case the promise returned by WebAssembly.instantiate was rejected immediately because of the CSP, but then compilation was started anyways, and the promise was resolved after compilation for a second time, which caused the crash. With this CL we do not start compilation if CSP disallows WebAssembly compilation. R=clemensh@chromium.org Bug: chromium:881978 Change-Id: Iffdb3e02c3006eb7f86211ab197f81cf20438f0e Reviewed-on: https://chromium-review.googlesource.com/1219706 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#55788}
diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
@@ -818,6 +818,7 @@ void WebAssemblyInstantiate(const v8::FunctionCallbackInfo<v8::Value>& args) {
   if (!i::wasm::IsWasmCodegenAllowed(i_isolate, i_isolate->native_context())) {
     thrower.CompileError("Wasm code generation disallowed by embedder");
     compilation_resolver->OnCompilationFailed(thrower.Reify());
+    return;
   }
 
   // Asynchronous compilation handles copying wire bytes if necessary.
diff --git a/test/mjsunit/wasm/disallow-codegen.js b/test/mjsunit/wasm/disallow-codegen.js
@@ -65,6 +65,16 @@ async function AsyncTestOk() {
     promise, module => assertInstanceof(module, WebAssembly.Module));
 }
 
+async function AsyncTestWithInstantiateOk() {
+  print('async module instantiate (ok)...');
+  %DisallowCodegenFromStrings(false);
+  %DisallowWasmCodegen(false);
+  let promise = WebAssembly.instantiate(buffer);
+  assertPromiseResult(
+      promise,
+      module => assertInstanceof(module.instance, WebAssembly.Instance));
+}
+
 async function AsyncTestFail() {
   print('async module compile (fail)...');
   %DisallowCodegenFromStrings(true);
@@ -78,6 +88,19 @@ async function AsyncTestFail() {
   }
 }
 
+async function AsyncTestWithInstantiateFail() {
+  print('async module instantiate (fail)...');
+  %DisallowCodegenFromStrings(true);
+  %DisallowWasmCodegen(false);
+  try {
+    let m = await WebAssembly.instantiate(buffer);
+    assertUnreachable();
+  } catch (e) {
+    print("  " + e);
+    assertInstanceof(e, WebAssembly.CompileError);
+  }
+}
+
 async function AsyncTestWasmFail(disallow_codegen) {
   print('async wasm module compile (fail)...');
   %DisallowCodegenFromStrings(disallow_codegen);
@@ -91,6 +114,19 @@ async function AsyncTestWasmFail(disallow_codegen) {
   }
 }
 
+async function AsyncTestWasmWithInstantiateFail(disallow_codegen) {
+  print('async wasm module instantiate (fail)...');
+  %DisallowCodegenFromStrings(disallow_codegen);
+  %DisallowWasmCodegen(true);
+  try {
+    let m = await WebAssembly.instantiate(buffer);
+    assertUnreachable();
+  } catch (e) {
+    print("  " + e);
+    assertInstanceof(e, WebAssembly.CompileError);
+  }
+}
+
 async function StreamingTestOk() {
   print('streaming module compile (ok)...');
   // TODO(titzer): compileStreaming must be supplied by embedder.
@@ -149,14 +185,17 @@ async function RunAll() {
   await SyncTestOk();
   await SyncTestFail();
   await AsyncTestOk();
+  await AsyncTestWithInstantiateOk();
   await AsyncTestFail();
+  await AsyncTestWithInstantiateFail();
   await StreamingTestOk();
   await StreamingTestFail();
 
   disallow_codegen = false;
   for (count = 0; count < 2; ++count) {
     SyncTestWasmFail(disallow_codegen);
     AsyncTestWasmFail(disallow_codegen);
+    AsyncTestWasmWithInstantiateFail(disallow_codegen);
     StreamingTestWasmFail(disallow_codegen)
     disallow_codegen = true;
   }

Original file line number	Diff line number	Diff line change
`@@ -818,6 +818,7 @@ void WebAssemblyInstantiate(const v8::FunctionCallbackInfo<v8::Value>& args) {`
`818`	`818`	`if (!i::wasm::IsWasmCodegenAllowed(i_isolate, i_isolate->native_context())) {`
`819`	`819`	`thrower.CompileError("Wasm code generation disallowed by embedder");`
`820`	`820`	`compilation_resolver->OnCompilationFailed(thrower.Reify());`
	`821`	`+ return;`
`821`	`822`	`}`
`822`	`823`
`823`	`824`	`// Asynchronous compilation handles copying wire bytes if necessary.`