mirror of
https://github.com/LadybirdBrowser/ladybird
synced 2026-05-12 01:46:46 +02:00
0b8fbc03ef
Pass 2 of the validator now runs a per-instruction check that walks each opcode's fields and verifies every reference points somewhere sensible. Operand indices, label addresses, identifier/string/ property-key/regex table indices, cache indices, and trailing operand arrays are all bound-checked against the values the C++ side carries on the Executable. Fields whose bound depends on an enum variant count or other type information not present in Bytecode.def are left for a follow-up. The codegen lives in build.rs and reuses the existing layout machinery from the bytecode_def crate, so each opcode gets a match arm whose body reads each field at its known byte offset and calls the right hand-written validate_* helper. Variable-length instructions cross-check the count field against m_length before iterating the trailing array, which guards against an attacker sneaking a count that walks off the end of the instruction. Note that the encoded operand format is a flat u32 index into the runtime [registers | locals | constants | arguments] array, since Operand::offset_index_by zeroes the 3-bit type tag during assembly. The validator therefore range-checks the flat index rather than reading the type tag and dispatching per kind. The argument-count upper bound isn't tracked on Executable yet, so arguments remain effectively unbounded; tightening that bound is left for a later commit. Cache pointer fields are validated only when before_cache_fixup is true, since after the fixup pass they hold real pointers and must be left alone. NewFunction and NewClass have plain u32 fields for shared-function-data and class-blueprint indices; those are recognized by name in the codegen so the indices still get range-checked. The error category enum is renumbered to drop the per-operand-kind codes, since at the bytecode level we no longer differentiate.
107 lines
4.8 KiB
C++
107 lines
4.8 KiB
C++
/*
|
|
* Copyright (c) 2026-present, the Ladybird developers.
|
|
*
|
|
* SPDX-License-Identifier: BSD-2-Clause
|
|
*/
|
|
|
|
#include <AK/Debug.h>
|
|
#include <AK/Format.h>
|
|
#include <AK/NumericLimits.h>
|
|
#include <AK/StringView.h>
|
|
#include <LibJS/Bytecode/Executable.h>
|
|
#include <LibJS/Bytecode/Validator.h>
|
|
#include <LibJS/RustFFI.h>
|
|
|
|
namespace JS::Bytecode {
|
|
|
|
static StringView validation_error_kind_to_string(JS::FFI::ValidationErrorKind kind)
|
|
{
|
|
switch (kind) {
|
|
case JS::FFI::ValidationErrorKind::Ok:
|
|
return "Ok"sv;
|
|
case JS::FFI::ValidationErrorKind::BufferNotAligned:
|
|
return "BufferNotAligned"sv;
|
|
case JS::FFI::ValidationErrorKind::InstructionMisaligned:
|
|
return "InstructionMisaligned"sv;
|
|
case JS::FFI::ValidationErrorKind::UnknownOpcode:
|
|
return "UnknownOpcode"sv;
|
|
case JS::FFI::ValidationErrorKind::TruncatedInstruction:
|
|
return "TruncatedInstruction"sv;
|
|
case JS::FFI::ValidationErrorKind::InvalidLength:
|
|
return "InvalidLength"sv;
|
|
case JS::FFI::ValidationErrorKind::OperandOutOfRange:
|
|
return "OperandOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::OperandInvalid:
|
|
return "OperandInvalid"sv;
|
|
case JS::FFI::ValidationErrorKind::LabelNotAtInstructionBoundary:
|
|
return "LabelNotAtInstructionBoundary"sv;
|
|
case JS::FFI::ValidationErrorKind::IdentifierIndexOutOfRange:
|
|
return "IdentifierIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::StringIndexOutOfRange:
|
|
return "StringIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::PropertyKeyIndexOutOfRange:
|
|
return "PropertyKeyIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::RegexIndexOutOfRange:
|
|
return "RegexIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::PropertyLookupCacheIndexOutOfRange:
|
|
return "PropertyLookupCacheIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::GlobalVariableCacheIndexOutOfRange:
|
|
return "GlobalVariableCacheIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::TemplateObjectCacheIndexOutOfRange:
|
|
return "TemplateObjectCacheIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::ObjectShapeCacheIndexOutOfRange:
|
|
return "ObjectShapeCacheIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::ObjectPropertyIteratorCacheIndexOutOfRange:
|
|
return "ObjectPropertyIteratorCacheIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::SharedFunctionDataIndexOutOfRange:
|
|
return "SharedFunctionDataIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::ClassBlueprintIndexOutOfRange:
|
|
return "ClassBlueprintIndexOutOfRange"sv;
|
|
case JS::FFI::ValidationErrorKind::EnumOutOfRange:
|
|
return "EnumOutOfRange"sv;
|
|
}
|
|
VERIFY_NOT_REACHED();
|
|
}
|
|
|
|
ErrorOr<void> validate_bytecode(Executable const& executable, CacheState cache_state)
|
|
{
|
|
JS::FFI::FFIValidatorBounds bounds {
|
|
.number_of_registers = executable.number_of_registers,
|
|
.number_of_locals = static_cast<u32>(executable.local_variable_names.size()),
|
|
.number_of_constants = static_cast<u32>(executable.constants.size()),
|
|
// Argument count isn't tracked on Executable yet; per-instruction
|
|
// argument-index checks land in a follow-up commit.
|
|
.number_of_arguments = NumericLimits<u32>::max(),
|
|
.identifier_table_size = static_cast<u32>(executable.identifier_table->identifiers().size()),
|
|
.string_table_size = static_cast<u32>(executable.string_table->size()),
|
|
.property_key_table_size = static_cast<u32>(executable.property_key_table->property_keys().size()),
|
|
// The regex table is not consulted at runtime; m_regex_index fields
|
|
// are skipped during validation.
|
|
.regex_table_size = 0,
|
|
.property_lookup_cache_count = static_cast<u32>(executable.property_lookup_caches.size()),
|
|
.global_variable_cache_count = static_cast<u32>(executable.global_variable_caches.size()),
|
|
.template_object_cache_count = static_cast<u32>(executable.template_object_caches.size()),
|
|
.object_shape_cache_count = static_cast<u32>(executable.object_shape_caches.size()),
|
|
.object_property_iterator_cache_count = static_cast<u32>(executable.object_property_iterator_caches.size()),
|
|
.class_blueprint_count = static_cast<u32>(executable.class_blueprints.size()),
|
|
.shared_function_data_count = static_cast<u32>(executable.shared_function_data.size()),
|
|
.before_cache_fixup = cache_state == CacheState::BeforeFixup,
|
|
};
|
|
|
|
JS::FFI::FFIValidationError error {};
|
|
auto ok = rust_validate_bytecode(
|
|
executable.bytecode.data(),
|
|
executable.bytecode.size(),
|
|
&bounds,
|
|
&error);
|
|
if (ok)
|
|
return {};
|
|
|
|
auto kind = validation_error_kind_to_string(error.kind);
|
|
dbgln("Bytecode validation failed at offset {} (opcode {}): {}",
|
|
error.offset, error.opcode, kind);
|
|
return AK::Error::from_string_view(kind);
|
|
}
|
|
|
|
}
|