Bounds-checking for array attributes.

Author: mlogan

tests/webidl/output.txt

@@ -69,10 +69,12 @@ unsigned short int: 65535
 return unsigned long -1
 unsigned long int: 4294967295
 void * 3
-array[0] == 0
-array[7] == 7
-array[0] == 42
-array[7] == 43
+int_array[0] == 0
+int_array[7] == 7
+int_array[0] == 42
+int_array[7] == 43
+idx -1: Array index -1 out of bounds: [0,8)
+idx 8: Array index 8 out of bounds: [0,8)
 struct_array[0].attr1 == 0
 struct_array[0].attr2 == 0
 struct_array[7].attr1 == 7

tests/webidl/post.js

@@ -154,18 +154,35 @@ TheModule.print('void * ' + voidPointerUser.GetVoidPointer());
 // Array tests
 
 var arrayClass = new TheModule.ArrayClass();
-TheModule.print('array[0] == ' + arrayClass.get_int_array(0));
-TheModule.print('array[7] == ' + arrayClass.get_int_array(7));
+TheModule.print('int_array[0] == ' + arrayClass.get_int_array(0));
+TheModule.print('int_array[7] == ' + arrayClass.get_int_array(7));
 arrayClass.set_int_array(0, 42);
 arrayClass.set_int_array(7, 43);
-TheModule.print('array[0] == ' + arrayClass.get_int_array(0));
-TheModule.print('array[7] == ' + arrayClass.get_int_array(7));
+TheModule.print('int_array[0] == ' + arrayClass.get_int_array(0));
+TheModule.print('int_array[7] == ' + arrayClass.get_int_array(7));
+
+try {
+  arrayClass.set_int_array(-1, struct);
+} catch (e) {
+  TheModule.print('idx -1: ' + e);
+}
+
+try {
+  arrayClass.set_int_array(8, struct);
+} catch (e) {
+  TheModule.print('idx 8: ' + e);
+}
 
 TheModule.print('struct_array[0].attr1 == ' + arrayClass.get_struct_array(0).get_attr1());
 TheModule.print('struct_array[0].attr2 == ' + arrayClass.get_struct_array(0).get_attr2());
 TheModule.print('struct_array[7].attr1 == ' + arrayClass.get_struct_array(7).get_attr1());
 TheModule.print('struct_array[7].attr2 == ' + arrayClass.get_struct_array(7).get_attr2());
 
+// Verify that bounds checking is *not* enabled when not asked for.
+// This actually causes an illegal memory access, but as it's only a read, and the return
+// value is not used, it shouldn't cause any problems in practice.
+arrayClass.get_struct_array(8);
+
 var struct = new TheModule.StructInArray(13, 17);
 arrayClass.set_struct_array(0, struct);
 struct = new TheModule.StructInArray(14, 18);

tests/webidl/test.idl

@@ -118,7 +118,7 @@ interface StructInArray {
 
 interface ArrayClass {
   void ArrayClass();
-  attribute long[] int_array;
+  [BoundsChecked] attribute long[] int_array;
   [Value] attribute StructInArray[] struct_array;
   attribute StructInArray[] struct_ptr_array;
 };

third_party/WebIDL.py

@@ -2855,6 +2855,7 @@ def handleExtendedAttribute(self, attr):
               identifier == "AvailableIn" or
               identifier == "Const" or
               identifier == "Value" or
+              identifier == "BoundsChecked" or
               identifier == "NewObject"):
             # Known attributes that we don't need to do anything with here
             pass

tools/webidl_binder.py

@@ -132,6 +132,17 @@ def emit_constructor(name):
 
 ''']
 
+mid_c += ['''
+// Not using size_t for array indices as the values used by the javascript code are signed.
+void array_bounds_check(const int array_size, const int array_idx) {
+  if (array_idx < 0 || array_idx >= array_size) {
+    EM_ASM_INT({
+      throw 'Array index ' + $0 + ' out of bounds: [0,' + $1 + ')';
+    }, array_idx, array_size);
+  }
+}
+''']
+
 C_FLOATS = ['float', 'double']
 
 def type_to_c(t, non_pointing=False):
@@ -388,6 +399,10 @@ def render_function(class_name, func_name, sigs, return_type, non_pointer, copy,
                        Dummy({ 'type': m.type })] }
       get_call_content = take_addr_if_nonpointer(m) + 'self->' + attr + '[arg0]'
       set_call_content = 'self->' + attr + '[arg0] = ' + deref_if_nonpointer(m) + 'arg1'
+      if m.getExtendedAttribute('BoundsChecked'):
+        bounds_check = "array_bounds_check(sizeof(self->%s) / sizeof(self->%s[0]), arg0)" % (attr, attr)
+        get_call_content = "(%s, %s)" % (bounds_check, get_call_content)
+        set_call_content = "(%s, %s)" % (bounds_check, set_call_content)
     else:
       get_sigs = { 0: [] }
       set_sigs = { 1: [Dummy({ 'type': m.type })] }