[WASM] Check subtyping in both directions for mutable globals and tables

https://bugs.webkit.org/show_bug.cgi?id=278497 rdar://problem/134450707 Reviewed by Keith Miller and Yijia Huang. Replaces our existing typechecking for imported mutable globals and tables to check subtyping both ways. This ensures the type we import a global value or table as is not a supertype of the imported value's innate type - we don't want to be able to import a non-nullable (ref func) as a nullable (ref null func) and violate the original type by assigning it to a null value. * Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp: (JSC::WebAssemblyModuleRecord::initializeImports): Canonical link: https://commits.webkit.org/282682@main
dhecht · Aug 23, 2024 · f956527 · f956527
1 parent 085d136
commit f956527
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 28 deletions.
diff --git a/JSTests/wasm/gc/linking.js b/JSTests/wasm/gc/linking.js
@@ -19,19 +19,6 @@ function testLinking() {
     `, { m: { f1: m0.exports.f0 } });
   }
 
-  {
-    const m0 = instantiate(`
-      (module
-        (type (func))
-        (table (export "t0") 10 (ref null 0)))
-    `);
-
-    const m1 = instantiate(`
-      (module
-        (table (import "m" "t1") 10 (ref null func)))
-    `, { m: { t1: m0.exports.t0 } });
-  }
-
   {
     const m0 = instantiate(`
       (module
@@ -44,19 +31,6 @@ function testLinking() {
         (global (import "m" "g1") (ref null func)))
     `, { m: { g1: m0.exports.g0 } });
   }
-
-  {
-    const m0 = instantiate(`
-      (module
-        (type (func))
-        (global (export "g0") (mut (ref null 0)) (ref.null 0)))
-    `);
-
-    const m1 = instantiate(`
-      (module
-        (global (import "m" "g1") (mut (ref null func))))
-    `, { m: { g1: m0.exports.g0 } });
-  }
 }
 
 testLinking();
diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp
@@ -361,7 +361,7 @@ void WebAssemblyModuleRecord::initializeImports(JSGlobalObject* globalObject, JS
                 if (!value.inherits<JSWebAssemblyGlobal>())
                     return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global"_s, "must be a WebAssembly.Global object since it is mutable"_s)));
                 JSWebAssemblyGlobal* globalValue = jsCast<JSWebAssemblyGlobal*>(value);
-                if (!isSubtype(globalValue->global()->type(), global.type))
+                if (!isSubtype(globalValue->global()->type(), global.type) || !isSubtype(global.type, globalValue->global()->type()))
                     return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global"_s, "must be a same type"_s)));
                 if (globalValue->global()->mutability() != global.mutability)
                     return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global"_s, "must be a same mutability"_s)));
@@ -393,7 +393,7 @@ void WebAssemblyModuleRecord::initializeImports(JSGlobalObject* globalObject, JS
 
             auto expectedType = moduleInformation.tables[import.kindIndex].wasmType();
             auto actualType = table->table()->wasmType();
-            if (!Wasm::isSubtype(actualType, expectedType))
+            if (!Wasm::isSubtype(actualType, expectedType) || !Wasm::isSubtype(expectedType, actualType))
                 return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "Table import"_s, "provided a 'type' that is wrong"_s)));
 
             // ii. Append v to tables.