From b99e548b63cf23982e02f520b30253fa37dbcf7a Mon Sep 17 00:00:00 2001 From: Ben Visness Date: Wed, 18 Feb 2026 13:48:26 -0600 Subject: [PATCH] Rework implementation limits --- document/js-api/index.bs | 60 ++++++++++++--------- test/js-api/limits.any.js | 66 +++++++++++++++-------- test/js-api/memory/grow-memory64.any.js | 1 + test/js-api/memory/limits-memory64.any.js | 48 +++++++++++++++++ test/js-api/memory/limits.any.js | 30 +++++++++++ test/js-api/table/limits-memory64.any.js | 31 +++++++++++ test/js-api/table/limits.any.js | 25 +++++++++ 7 files changed, 216 insertions(+), 45 deletions(-) create mode 100644 test/js-api/memory/limits-memory64.any.js create mode 100644 test/js-api/memory/limits.any.js create mode 100644 test/js-api/table/limits-memory64.any.js create mode 100644 test/js-api/table/limits.any.js diff --git a/document/js-api/index.bs b/document/js-api/index.bs index 3f5803815e..c806871d30 100644 --- a/document/js-api/index.bs +++ b/document/js-api/index.bs @@ -100,6 +100,7 @@ urlPrefix: https://tc39.github.io/ecma262/; spec: ECMASCRIPT text: String.prototype.substring; url: sec-string.prototype.substring text: Array; url: sec-array-exotic-objects text: BigInt; url: sec-ecmascript-language-types-bigint-type + text: safe integer; url: #safe-integer urlPrefix: https://webassembly.github.io/spec/core/; spec: WebAssembly; type: dfn text: embedding interface; url: appending/embedding.html text: scope; url: intro/introduction.html#scope @@ -399,6 +400,7 @@ Note: To compile a WebAssembly module from source bytes |bytes|, perform the following steps: 1. Let |module| be [=module_decode=](|bytes|). If |module| is [=error=], return [=error=]. 1. If [=module_validate=](|module|) is [=error=], return [=error=]. + 1. If any compile-time limits are exceeded, return [=error=]. 1. Return |module|. @@ -608,6 +610,7 @@ The verification of WebAssembly type requirements is deferred to the 1. Let |result| be [=module_instantiate=](|store|, |module|, |imports|). 1. If |result| is [=error=], throw an appropriate exception type: * A {{LinkError}} exception for most cases which occur during linking. + * If a runtime implementation limit is exceeded, throw a {{RangeError}}. * If the error came when running the start function, throw a {{RuntimeError}} for most errors which occur from WebAssembly, or the error object propagated from inner ECMAScript code. * Another error type if appropriate, for example an out-of-memory exception, as documented in the WebAssembly error mapping. 1. Let (|store|, |instance|) be |result|. @@ -879,6 +882,8 @@ which can be simultaneously referenced by multiple {{Instance}} objects. Each 1. If |descriptor|["maximum"] [=map/exists=], let |maximum| be [=?=] [=AddressValueToU64=](|descriptor|["maximum"], |addrtype|); otherwise, let |maximum| be empty. 1. Let |memtype| be [=memory type=] |addrtype| { **min** |initial|, **max** |maximum| }. 1. If |memtype| is not [=valid memtype|valid=], throw a {{RangeError}} exception. + 1. If |maximum| is not empty: + 1. If |addrtype| is "i64" and |maximum| exceeds the [=memory type size limit=], throw a {{RangeError}} exception. 1. Let |store| be the [=surrounding agent=]'s [=associated store=]. 1. Let (|store|, |memaddr|) be [=mem_alloc=](|store|, |memtype|). If allocation fails, throw a {{RangeError}} exception. 1. Set the [=surrounding agent=]'s [=associated store=] to |store|. @@ -908,6 +913,8 @@ which can be simultaneously referenced by multiple {{Instance}} objects. Each 1. Let |store| be the [=surrounding agent=]'s [=associated store=]. 1. Let |ret| be the [=mem_size=](|store|, |memaddr|). 1. Let |store| be [=mem_grow=](|store|, |memaddr|, |delta|). + + Note: This should check the runtime implementation limits. 1. If |store| is [=error=], throw a {{RangeError}} exception. 1. Set the [=surrounding agent=]'s [=associated store=] to |store|. 1. [=Refresh the memory buffer=] of |memaddr|. @@ -1070,10 +1077,9 @@ Each {{Table}} object has a \[[Table]] internal slot, which is a [=table address 1. Otherwise, 1. Let |ref| be [=?=] [=ToWebAssemblyValue=](|value|, |elementtype|). 1. Let |result| be [=table_grow=](|store|, |tableaddr|, |delta64|, |ref|). - 1. If |result| is [=error=], throw a {{RangeError}} exception. - - Note: The above exception can happen due to either insufficient memory or an invalid size parameter. + Note: This should check the runtime implementation limits. + 1. If |result| is [=error=], throw a {{RangeError}} exception. 1. Set the [=surrounding agent=]'s [=associated store=] to |result|. 1. Return |initialSize|. @@ -2211,47 +2217,53 @@ Note: ECMAScript doesn't specify any sort of behavior on out-of-memory condition

Implementation-defined Limits

-The WebAssembly core specification allows an implementation to define limits on the syntactic structure of the module. +The WebAssembly core specification allows an implementation to define limits on the syntactic structure of a module and on runtime resources. While each embedding of WebAssembly may choose to define its own limits, for predictability the standard WebAssembly JavaScript Interface described in this document defines the following exact limits. -An implementation must reject a module that exceeds one of the following limits with a {{CompileError}}. -In practice, an implementation may run out of resources for valid modules below these limits. + +

Compile-time Limits

+ +An implementation must reject a module or other resource that exceeds one of the following limits. +In practice, an implementation may run out of resources below these limits. -An implementation must throw a {{RuntimeError}} if one of the following limits is exceeded during runtime: -In practice, an implementation may run out of resources for valid modules below these limits. +

Runtime Limits

+ +The following limits are enforced when instantiating a module, when creating a standalone resource like a {{Memory}} or {{Table}} object, and at all times during runtime. +An implementation must throw if any of these limits is exceeded; the specific type of error thrown is up to the specific operation. +In practice, an implementation may run out of resources below these limits.

Security and Privacy Considerations

diff --git a/test/js-api/limits.any.js b/test/js-api/limits.any.js index 72b721bfc8..7baf75cfb8 100644 --- a/test/js-api/limits.any.js +++ b/test/js-api/limits.any.js @@ -2,12 +2,13 @@ // META: script=/wasm/jsapi/wasm-module-builder.js // META: timeout=long -// Static limits +// Compile-time limits const kJSEmbeddingMaxTypes = 1000000; const kJSEmbeddingMaxFunctions = 1000000; const kJSEmbeddingMaxImports = 1000000; const kJSEmbeddingMaxExports = 1000000; const kJSEmbeddingMaxGlobals = 1000000; +const kJSEmbeddingMaxTags = 1000000; const kJSEmbeddingMaxDataSegments = 100000; const kJSEmbeddingMaxModuleSize = 1024 * 1024 * 1024; // = 1 GiB @@ -16,11 +17,14 @@ const kJSEmbeddingMaxFunctionLocals = 50000; const kJSEmbeddingMaxFunctionParams = 1000; const kJSEmbeddingMaxFunctionReturns = 1000; const kJSEmbeddingMaxElementSegments = 10000000; +const kJSEmbeddingMaxElementsInSegment = 10000000; const kJSEmbeddingMaxTables = 100000; -const kJSEmbeddingMaxMemories = 1; +const kJSEmbeddingMaxMemories = 100; +const kJSEmbeddingMaxStructFields = 10000; +const kJSEmbeddingMaxSubtypeDepth = 63; -// Dynamic limits -const kJSEmbeddingMaxTableSize = 10000000; +// Runtime limits for memories and tables are primarily tested elsewhere. +const kJSEmbeddingMaxTable32Size = 10000000; // This function runs the {gen} function with the values {min}, {limit}, and // {limit+1}, assuming that values below and including the limit should @@ -170,6 +174,39 @@ testLimit("memories", 0, kJSEmbeddingMaxMemories, (builder, count) => { } }); +testLimit("tags", 0, kJSEmbeddingMaxTags, (builder, count) => { + const type = builder.addType(kSig_v_v); + for (let i = 0; i < count; i++) { + builder.addTag(type); + } +}); + +testLimit("struct fields", 0, kJSEmbeddingMaxStructFields, (builder, count) => { + const fields = []; + for (let i = 0; i < count; i++) { + fields.push(makeField(kWasmI32, true)); + } + builder.addStruct(fields); +}); + +testLimit("subtype depth", 0, kJSEmbeddingMaxSubtypeDepth, (builder, count) => { + // Create a chain of struct subtypes: depth 0 (no supertype), + // then depth 1 through count (each extending the previous). + builder.addStruct([makeField(kWasmI32, true)], kNoSuperType, false); + for (let i = 1; i <= count; i++) { + builder.addStruct([makeField(kWasmI32, true)], i - 1, false); + } +}); + +testLimit("elements in element segment", 0, kJSEmbeddingMaxElementsInSegment, + (builder, count) => { + const type = builder.addType(kSig_v_v); + builder.addFunction(undefined, type).addBody([]); + builder.setTableBounds(1, 1); + const array = new Array(count).fill(0); + builder.addElementSegment(0, false, false, array); + }); + const instantiationShouldFail = 1; const instantiationShouldSucceed = 2; // This function tries to compile and instantiate the module produced @@ -197,14 +234,13 @@ function testDynamicLimit(name, instantiationResult, imports, gen) { assert_throws(new RangeError(), () => new WebAssembly.Instance(compiled_module, imports)); } else if (instantiationResult == instantiationShouldSucceed) { - const instance = new WebAssembly.Instance(compiled_module, imports); - assertEquals(-1, instance.exports.grow()); + const instance = new WebAssembly.Instance(compiled_module, imports); + assertEquals(-1, instance.exports.grow()); } }, `Instantiate ${name} over limit`); promise_test(t => { if (instantiationResult == instantiationShouldFail) { - return Promise.resolve(); return promise_rejects(t, new RangeError(), WebAssembly.instantiate(buffer, imports)); } else if (instantiationResult == instantiationShouldSucceed) { @@ -217,12 +253,12 @@ function testDynamicLimit(name, instantiationResult, imports, gen) { } testDynamicLimit("initial table size", instantiationShouldFail, {}, (builder) => { - builder.setTableBounds(kJSEmbeddingMaxTableSize + 1, undefined); + builder.setTableBounds(kJSEmbeddingMaxTable32Size + 1, undefined); }); testDynamicLimit( "maximum table size", instantiationShouldSucceed, {}, (builder) => { - builder.setTableBounds(1, kJSEmbeddingMaxTableSize + 1); + builder.setTableBounds(1, kJSEmbeddingMaxTable32Size + 1); // table.grow requires the reference types proposal. Instead we just // return -1. builder.addFunction("grow", kSig_i_v) @@ -232,18 +268,6 @@ testDynamicLimit( .exportFunc(); }); -test(() => { - assert_throws( - new RangeError(), - () => new WebAssembly.Table( - {element : "anyfunc", initial : kJSEmbeddingMaxTableSize + 1})); - - let memory = new WebAssembly.Table( - {initial : 1, maximum : kJSEmbeddingMaxTableSize + 1, element: "anyfunc"}); - assert_throws(new RangeError(), - () => memory.grow(kJSEmbeddingMaxTableSize)); -}, `Grow WebAssembly.Table object beyond the embedder-defined limit`); - function testModuleSizeLimit(size, expectPass) { // We do not use `testLimit` here to avoid OOMs due to having multiple big // modules alive at the same time. diff --git a/test/js-api/memory/grow-memory64.any.js b/test/js-api/memory/grow-memory64.any.js index 506ee832a0..8e8946dcde 100644 --- a/test/js-api/memory/grow-memory64.any.js +++ b/test/js-api/memory/grow-memory64.any.js @@ -1,4 +1,5 @@ // META: global=window,dedicatedworker,jsshell +// META: script=/wasm/jsapi/assertions.js // META: script=/wasm/jsapi/memory/assertions.js test(() => { diff --git a/test/js-api/memory/limits-memory64.any.js b/test/js-api/memory/limits-memory64.any.js new file mode 100644 index 0000000000..312a0173ee --- /dev/null +++ b/test/js-api/memory/limits-memory64.any.js @@ -0,0 +1,48 @@ +// META: global=window,dedicatedworker,jsshell +// META: script=/wasm/jsapi/assertions.js +// META: script=/wasm/jsapi/memory/assertions.js + +const kJSEmbeddingMemoryTypeSizeLimit = 2n**37n - 1n; +const kJSEmbeddingMaxMemory64Size = 262144n; // pages (16 GiB) + +test(() => { + const memory = new WebAssembly.Memory( + {address: "i64", + initial: 1n, + maximum: kJSEmbeddingMaxMemory64Size}); + assert_Memory(memory, { "size": 1, "address": "i64" }); +}, `Create WebAssembly.Memory with maximum size at the runtime limit (i64)`); + +test(() => { + assert_throws( + new RangeError(), + () => new WebAssembly.Memory( + {address: "i64", + initial: kJSEmbeddingMaxMemory64Size + 1n})); +}, `Create WebAssembly.Memory with initial size over the runtime limit (i64)`); + +test(() => { + const mem = new WebAssembly.Memory( + {address: "i64", + initial: 1n, + maximum: kJSEmbeddingMaxMemory64Size + 1n}); + assert_throws( + new RangeError(), + () => mem.grow(kJSEmbeddingMaxMemory64Size)); +}, `Grow WebAssembly.Memory beyond the runtime limit (i64)`); + +test(() => { + const memory = new WebAssembly.Memory( + {address: "i64", + initial: 0n, + maximum: kJSEmbeddingMemoryTypeSizeLimit}); + assert_Memory(memory, { "size": 0, "address": "i64" }); +}, "Maximum at memory type size limit (i64)"); + +test(() => { + assert_throws_js(RangeError, + () => new WebAssembly.Memory( + {address: "i64", + initial: 0n, + maximum: kJSEmbeddingMemoryTypeSizeLimit + 1n})); +}, "Maximum over memory type size limit (i64)"); diff --git a/test/js-api/memory/limits.any.js b/test/js-api/memory/limits.any.js new file mode 100644 index 0000000000..deaf2fed9b --- /dev/null +++ b/test/js-api/memory/limits.any.js @@ -0,0 +1,30 @@ +// META: global=window,dedicatedworker,jsshell +// META: script=/wasm/jsapi/memory/assertions.js + +// For memory32 the maximum size is the upper bound on Int32, so we cannot +// really test out-of-bounds values the same way we can for memory64. + +const kJSEmbeddingMaxMemory32Size = 65536; // pages (4 GiB) + +test(() => { + const memory = new WebAssembly.Memory( + {initial: 1, + maximum: kJSEmbeddingMaxMemory32Size}); + assert_Memory(memory, { "size": 1 }); +}, `Create WebAssembly.Memory with maximum size at the runtime limit`); + +test(() => { + assert_throws( + new RangeError(), + () => new WebAssembly.Memory( + {initial: kJSEmbeddingMaxMemory32Size + 1})); +}, `Create WebAssembly.Memory with initial size out of bounds`); + +test(() => { + const mem = new WebAssembly.Memory( + {initial: 1, + maximum: kJSEmbeddingMaxMemory32Size}); + assert_throws( + new RangeError(), + () => mem.grow(kJSEmbeddingMaxMemory32Size)); +}, `Grow WebAssembly.Memory beyond the runtime limit`); diff --git a/test/js-api/table/limits-memory64.any.js b/test/js-api/table/limits-memory64.any.js new file mode 100644 index 0000000000..5a6420e253 --- /dev/null +++ b/test/js-api/table/limits-memory64.any.js @@ -0,0 +1,31 @@ +// META: global=window,dedicatedworker,jsshell +// META: script=/wasm/jsapi/table/assertions.js + +// Same limit as table32 +const kJSEmbeddingMaxTable64Size = 10000000n; + +test(() => { + const table = new WebAssembly.Table( + {address: "i64", + element: "anyfunc", + initial: 1n, maximum: kJSEmbeddingMaxTable64Size + 1n}); + assert_Table(table, { length: 1n }, "i64") +}, `Create WebAssembly.Table with maximum size at the runtime limit (i64)`); + +test(() => { + assert_throws( + new RangeError(), + () => new WebAssembly.Table( + {address: "i64", + element: "anyfunc", + initial: kJSEmbeddingMaxTable64Size + 1n})); +}, `Create WebAssembly.Table with initial size over the runtime limit (i64)`); + +test(() => { + let table = new WebAssembly.Table( + {address: "i64", + element: "anyfunc", + initial: 1n, maximum: kJSEmbeddingMaxTable64Size + 1n}); + assert_throws(new RangeError(), + () => table.grow(kJSEmbeddingMaxTable64Size)); +}, `Grow WebAssembly.Table object beyond the runtime limit (i64)`); diff --git a/test/js-api/table/limits.any.js b/test/js-api/table/limits.any.js new file mode 100644 index 0000000000..ad5379f265 --- /dev/null +++ b/test/js-api/table/limits.any.js @@ -0,0 +1,25 @@ +// META: global=window,dedicatedworker,jsshell +// META: script=/wasm/jsapi/table/assertions.js + +const kJSEmbeddingMaxTable32Size = 10000000; + +test(() => { + const table = new WebAssembly.Table( + {element: "anyfunc", initial: 1, maximum: kJSEmbeddingMaxTable32Size + 1}); + assert_Table(table, { length: 1 }) +}, `Create WebAssembly.Table with maximum size at the runtime limit`); + +test(() => { + assert_throws( + new RangeError(), + () => new WebAssembly.Table( + {element: "anyfunc", initial: kJSEmbeddingMaxTable32Size + 1})); +}, `Create WebAssembly.Table with initial size over the runtime limit`); + +test(() => { + let table = new WebAssembly.Table( + {element: "anyfunc", initial: 1, + maximum: kJSEmbeddingMaxTable32Size + 1}); + assert_throws(new RangeError(), + () => table.grow(kJSEmbeddingMaxTable32Size)); +}, `Grow WebAssembly.Table object beyond the runtime limit`);