From f172c2a223e9dcd69cd2a468c6cf14577b86560f Mon Sep 17 00:00:00 2001 From: Ryan Hunt Date: Tue, 19 Aug 2025 12:53:13 -0500 Subject: [PATCH 1/6] [js-api] Set the implementation limit for memory types memory32 is the full 4GiB range. memory64 is at 2^37-1 so that when the page size is converted to bytes it is less than the JS MAX_SAFE_INTEGER value. Leave the runtime limits for memory sizes as-is. --- document/js-api/index.bs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/document/js-api/index.bs b/document/js-api/index.bs index 7d172c81c5..0c166ffc00 100644 --- a/document/js-api/index.bs +++ b/document/js-api/index.bs @@ -1805,7 +1805,10 @@ In practice, an implementation may run out of resources for valid modules below
  • The maximum number of tables, including declared or imported tables, is 100,000.
  • The maximum size of a table is 10,000,000.
  • The maximum number of table entries in any table initialization is 10,000,000.
    • +
  • The maximum number of memories, including defined and imported memories, is 100.
    • +
  • The maximum `min` or `max` field of a 32-bit memory is 65,536 pages (4 GiB).
    • +
  • The maximum `min` or `max` field of a 64-bit memory is 2^37-1 pages (2^53 - 2^16 bytes).
  • The maximum number of parameters to any function or block is 1,000.
  • The maximum number of return values for any function or block is 1,000.
    • From 9b9c70cc08db9c6fc494564f3105d477320b778a Mon Sep 17 00:00:00 2001 From: Ryan Hunt Date: Tue, 19 Aug 2025 12:57:38 -0500 Subject: [PATCH 2/6] [js-api] Don't allow memories without max in toResizableBuffer --- document/js-api/index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/document/js-api/index.bs b/document/js-api/index.bs index 0c166ffc00..4d7b04cdb9 100644 --- a/document/js-api/index.bs +++ b/document/js-api/index.bs @@ -860,15 +860,15 @@ Immediately after a WebAssembly [=memory.grow=] instruction executes, perform th
    The toResizableBuffer() method, when invoked, performs the following steps: + 1. If |memtype| does not have a max, + 1. [=Throw=] a {{TypeError}} exception. 1. Let |buffer| be **this**.\[[BufferObject]]. 1. If [=IsFixedLengthArrayBuffer=](|buffer|) is false, return |buffer|. 1. Let |memaddr| be **this**.\[[Memory]]. 1. Let |store| be the [=surrounding agent=]'s [=associated store=]. 1. Let |memtype| be [=mem_type=](|store|, |memaddr|). - 1. If |memtype| has a max, - 1. Let |maxsize| be the max value in |memtype|. - 1. Otherwise, - 1. Let |maxsize| be 65536 × 65536. + 1. Assert |memtype| has a max. + 1. Let |maxsize| be the max value in |memtype|. 1. Let |resizableBuffer| be the result of [=create a resizable memory buffer|creating a resizable memory buffer=] from |memaddr| and |maxsize|. 1. Perform [=!=] [$DetachArrayBuffer$](|buffer|, "WebAssembly.Memory"). 1. Set **this**.\[[BufferObject]] to |resizableBuffer|. From 9f0898b69f3ae7d66498557aff95d5eb047c0181 Mon Sep 17 00:00:00 2001 From: Ryan Hunt Date: Tue, 19 Aug 2025 12:59:44 -0500 Subject: [PATCH 3/6] [js-api] Remove unnecessary guard on maxsize We must allow maxsize greater than 4GiB for memory64. The impl limit for memory64 will ensure the maxsize is within MAX_SAFE_INTEGER. --- document/js-api/index.bs | 2 -- 1 file changed, 2 deletions(-) diff --git a/document/js-api/index.bs b/document/js-api/index.bs index 4d7b04cdb9..e8c335de9d 100644 --- a/document/js-api/index.bs +++ b/document/js-api/index.bs @@ -754,8 +754,6 @@ which can be simultaneously referenced by multiple {{Instance}} objects. Each 1. Let |block| be a [=Data Block=] which is [=identified with=] the underlying memory of |memaddr|. 1. Let |length| be the length of |block|. - 1. If |maxsize| > (65536 × 65536), - 1. Throw a {{RangeError}} exception. 1. Let |buffer| be a new {{ArrayBuffer}} with the internal slots \[[ArrayBufferData]], \[[ArrayBufferByteLength]], \[[ArrayBufferMaxByteLength]], and \[[ArrayBufferDetachKey]]. 1. Set |buffer|.\[[ArrayBufferData]] to |block|. 1. Set |buffer|.\[[ArrayBufferByteLength]] to |length|. From 8c5737f0b144419a9a430d29fd6a0870a6da972e Mon Sep 17 00:00:00 2001 From: Ryan Hunt Date: Tue, 19 Aug 2025 13:59:16 -0500 Subject: [PATCH 4/6] [js-api] Fix ordering of instructions --- document/js-api/index.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/document/js-api/index.bs b/document/js-api/index.bs index e8c335de9d..44064c4871 100644 --- a/document/js-api/index.bs +++ b/document/js-api/index.bs @@ -858,13 +858,13 @@ Immediately after a WebAssembly [=memory.grow=] instruction executes, perform th
    The toResizableBuffer() method, when invoked, performs the following steps: + 1. Let |memaddr| be **this**.\[[Memory]]. + 1. Let |store| be the [=surrounding agent=]'s [=associated store=]. + 1. Let |memtype| be [=mem_type=](|store|, |memaddr|). 1. If |memtype| does not have a max, 1. [=Throw=] a {{TypeError}} exception. 1. Let |buffer| be **this**.\[[BufferObject]]. 1. If [=IsFixedLengthArrayBuffer=](|buffer|) is false, return |buffer|. - 1. Let |memaddr| be **this**.\[[Memory]]. - 1. Let |store| be the [=surrounding agent=]'s [=associated store=]. - 1. Let |memtype| be [=mem_type=](|store|, |memaddr|). 1. Assert |memtype| has a max. 1. Let |maxsize| be the max value in |memtype|. 1. Let |resizableBuffer| be the result of [=create a resizable memory buffer|creating a resizable memory buffer=] from |memaddr| and |maxsize|. From aba573555a7ddebd89c2ce6408bb6852e370a44f Mon Sep 17 00:00:00 2001 From: Ryan Hunt Date: Tue, 19 Aug 2025 14:35:03 -0500 Subject: [PATCH 5/6] [js-api] Fix units --- document/js-api/index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/js-api/index.bs b/document/js-api/index.bs index 44064c4871..e168c1d5d1 100644 --- a/document/js-api/index.bs +++ b/document/js-api/index.bs @@ -866,7 +866,7 @@ Immediately after a WebAssembly [=memory.grow=] instruction executes, perform th 1. Let |buffer| be **this**.\[[BufferObject]]. 1. If [=IsFixedLengthArrayBuffer=](|buffer|) is false, return |buffer|. 1. Assert |memtype| has a max. - 1. Let |maxsize| be the max value in |memtype|. + 1. Let |maxsize| be the max value in |memtype| * 65536. 1. Let |resizableBuffer| be the result of [=create a resizable memory buffer|creating a resizable memory buffer=] from |memaddr| and |maxsize|. 1. Perform [=!=] [$DetachArrayBuffer$](|buffer|, "WebAssembly.Memory"). 1. Set **this**.\[[BufferObject]] to |resizableBuffer|. From c8b83b7472095e309de0c5093c39ea4367135063 Mon Sep 17 00:00:00 2001 From: Ryan Hunt Date: Wed, 10 Sep 2025 13:31:57 -0500 Subject: [PATCH 6/6] Fix Assert in memory.grow --- document/js-api/index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/document/js-api/index.bs b/document/js-api/index.bs index e168c1d5d1..2707725209 100644 --- a/document/js-api/index.bs +++ b/document/js-api/index.bs @@ -865,7 +865,7 @@ Immediately after a WebAssembly [=memory.grow=] instruction executes, perform th 1. [=Throw=] a {{TypeError}} exception. 1. Let |buffer| be **this**.\[[BufferObject]]. 1. If [=IsFixedLengthArrayBuffer=](|buffer|) is false, return |buffer|. - 1. Assert |memtype| has a max. + 1. Assert: |memtype| has a max. 1. Let |maxsize| be the max value in |memtype| * 65536. 1. Let |resizableBuffer| be the result of [=create a resizable memory buffer|creating a resizable memory buffer=] from |memaddr| and |maxsize|. 1. Perform [=!=] [$DetachArrayBuffer$](|buffer|, "WebAssembly.Memory").