Skip to content

Rework JS API spec implementation limits #2089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bvisness wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Rework JS API spec implementation limits #2089

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 36 additions & 24 deletions document/js-api/index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ urlPrefix: https://tc39.github.io/ecma262/; spec: ECMASCRIPT
text: String.prototype.substring; url: sec-string.prototype.substring
text: Array; url: sec-array-exotic-objects
text: BigInt; url: sec-ecmascript-language-types-bigint-type
text: safe integer; url: #safe-integer
urlPrefix: https://webassembly.github.io/spec/core/; spec: WebAssembly; type: dfn
text: embedding interface; url: appending/embedding.html
text: scope; url: intro/introduction.html#scope
Expand Down Expand Up @@ -399,6 +400,7 @@ Note:
To <dfn>compile a WebAssembly module</dfn> from source bytes |bytes|, perform the following steps:
1. Let |module| be [=module_decode=](|bytes|). If |module| is [=error=], return [=error=].
1. If [=module_validate=](|module|) is [=error=], return [=error=].
1. If any <a href="#limits-compile-time">compile-time limits</a> are exceeded, return [=error=].
Copy link
Contributor Author

@bvisness bvisness Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: This means that WebAssembly.validate will always fail when a module exceeds a compile-time limit, and should never fail when exceeding a runtime limit (even if instantiation would fail).

1. Return |module|.
</div>

Expand Down Expand Up @@ -608,6 +610,7 @@ The verification of WebAssembly type requirements is deferred to the
1. Let |result| be [=module_instantiate=](|store|, |module|, |imports|).
1. If |result| is [=error=], throw an appropriate exception type:
* A {{LinkError}} exception for most cases which occur during linking.
* If a <a href="#limits-runtime">runtime implementation limit</a> is exceeded, throw a {{RangeError}}.
Copy link
Contributor Author

@bvisness bvisness Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the case that covers e.g. a table with an initial size of 10,000,001 elements. Under this update to the spec, this would pass WebAssembly.validate and WebAssembly.compile but would always fail to instantiate due to this line.

* If the error came when running the start function, throw a {{RuntimeError}} for most errors which occur from WebAssembly, or the error object propagated from inner ECMAScript code.
* Another error type if appropriate, for example an out-of-memory exception, as documented in <a href="#errors">the WebAssembly error mapping</a>.
1. Let (|store|, |instance|) be |result|.
Expand Down Expand Up @@ -879,6 +882,8 @@ which can be simultaneously referenced by multiple {{Instance}} objects. Each
1. If |descriptor|["maximum"] [=map/exists=], let |maximum| be [=?=] [=AddressValueToU64=](|descriptor|["maximum"], |addrtype|); otherwise, let |maximum| be empty.
1. Let |memtype| be [=memory type=] |addrtype| { **min** |initial|, **max** |maximum| }.
1. If |memtype| is not [=valid memtype|valid=], throw a {{RangeError}} exception.
1. If |maximum| is not empty:
1. If |addrtype| is "i64" and |maximum| exceeds the [=memory type size limit=], throw a {{RangeError}} exception.
1. Let |store| be the [=surrounding agent=]'s [=associated store=].
1. Let (|store|, |memaddr|) be [=mem_alloc=](|store|, |memtype|). If allocation fails, throw a {{RangeError}} exception.
1. Set the [=surrounding agent=]'s [=associated store=] to |store|.
Expand Down Expand Up @@ -908,6 +913,8 @@ which can be simultaneously referenced by multiple {{Instance}} objects. Each
1. Let |store| be the [=surrounding agent=]'s [=associated store=].
1. Let |ret| be the [=mem_size=](|store|, |memaddr|).
1. Let |store| be [=mem_grow=](|store|, |memaddr|, |delta|).

Note: This should check the <a href="#limits-runtime">runtime implementation limits</a>.
1. If |store| is [=error=], throw a {{RangeError}} exception.
1. Set the [=surrounding agent=]'s [=associated store=] to |store|.
1. [=Refresh the memory buffer=] of |memaddr|.
Expand Down Expand Up @@ -1070,10 +1077,9 @@ Each {{Table}} object has a \[[Table]] internal slot, which is a [=table address
1. Otherwise,
1. Let |ref| be [=?=] [=ToWebAssemblyValue=](|value|, |elementtype|).
1. Let |result| be [=table_grow=](|store|, |tableaddr|, |delta64|, |ref|).
1. If |result| is [=error=], throw a {{RangeError}} exception.

Note: The above exception can happen due to either insufficient memory or an invalid size parameter.

Note: This should check the <a href="#limits-runtime">runtime implementation limits</a>.
1. If |result| is [=error=], throw a {{RangeError}} exception.
1. Set the [=surrounding agent=]'s [=associated store=] to |result|.
1. Return |initialSize|.
</div>
Expand Down Expand Up @@ -2211,47 +2217,53 @@ Note: ECMAScript doesn't specify any sort of behavior on out-of-memory condition

<h2 id="limits">Implementation-defined Limits</h2>

The WebAssembly core specification allows an implementation to define limits on the syntactic structure of the module.
The WebAssembly core specification allows an implementation to define limits on the syntactic structure of a module and on runtime resources.
While each embedding of WebAssembly may choose to define its own limits, for predictability the standard WebAssembly JavaScript Interface described in this document defines the following exact limits.
An implementation must reject a module that exceeds one of the following limits with a {{CompileError}}.
In practice, an implementation may run out of resources for valid modules below these limits.

<h3 id="limits-compile-time">Compile-time Limits</h3>

An implementation must reject a module or other resource that exceeds one of the following limits.
In practice, an implementation may run out of resources below these limits.

<ul>
<li>The maximum size of a module is 1,073,741,824 bytes (1 GiB).</li>
<li>The maximum number of types defined in the types section is 1,000,000.</li>
<li>The maximum number of recursion groups defined in the types sections is 1,000,000.</li>
<li>The maximum number of types defined in the type section is 1,000,000.</li>
<li>The maximum number of recursion groups defined in the type section is 1,000,000.</li>
<li>The maximum number of types defined in a recursion group is 1,000,000.</li>
<li>The maximum depth of a defined subtype hierarchy is 63 (where a type defined with no supertype has depth 0).
<li>The maximum number of functions defined in a module is 1,000,000.</li>
<li>The maximum number of functions defined or imported in a module is 1,000,000.</li>
<li>The maximum number of imports declared in a module is 1,000,000.</li>
<li>The maximum number of exports declared in a module is 1,000,000.</li>
<li>The maximum number of globals defined in a module is 1,000,000.</li>
<li>The maximum number of tags defined in a module is 1,000,000.</li>
<li>The maximum number of globals defined or imported in a module is 1,000,000.</li>
<li>The maximum number of tags defined or imported in a module is 1,000,000.</li>
<li>The maximum number of data segments defined in a module is 100,000.</li>

<li>The maximum number of tables, including declared or imported tables, is 100,000.</li>
<li>The maximum size of a table is 10,000,000.</li>
<li>The maximum number of table entries in any table initialization is 10,000,000.</li>

<li>The maximum number of memories, including defined and imported memories, is 100.</li>
<li>The maximum `min` or `max` field of a 32-bit memory is 65,536 pages (4 GiB).</li>
<li>The maximum `min` or `max` field of a 64-bit memory is 2^37-1 pages (2^53 - 2^16 bytes).</li>

<li>The maximum number of tables defined or imported in a module is 100,000.</li>
<li>The maximum number of element segments defined in a module is 10,000,000.</li>
<li>The maximum number of elements in any element segment is 10,000,000.</li>
<li>The maximum number of memories defined or imported in a module is 100.</li>
<li>The maximum number of parameters to any function or block is 1,000.</li>
<li>The maximum number of return values for any function or block is 1,000.</li>
<li>The maximum size of a function body, including locals declarations, is 7,654,321 bytes.</li>
<li>The maximum number of locals declared in a function, including implicitly declared as parameters, is 50,000.</li>
<li>The maximum number of locals declared in a function, including those implicitly declared as parameters, is 50,000.</li>
<li>The maximum number of fields in a struct is 10,000.</li>
<li>The maximum number of operands to `array.new_fixed` is 10,000.</li>
</ul>

An implementation must throw a {{RuntimeError}} if one of the following limits is exceeded during runtime:
In practice, an implementation may run out of resources for valid modules below these limits.
<h3 id="limits-runtime">Runtime Limits</h3>

The following limits are enforced when instantiating a module, when creating a standalone resource like a {{Memory}} or {{Table}} object, and at all times during runtime.
An implementation must throw if any of these limits is exceeded; the specific type of error thrown is up to the specific operation.
In practice, an implementation may run out of resources below these limits.

<ul>
<li>The maximum size of a table is 10,000,000.</li>
<li>The maximum size of a table is 10,000,000 elements.</li>
<li>The maximum size of a 32-bit memory is 65,536 pages (4 GiB).</li>
<li>The maximum size of a 64-bit memory is 262,144 pages (16 GiB).</li>
<li>
A 64-bit memory cannot be allocated if its `min` or `max` field exceeds the <dfn>memory type size limit</dfn> of 2^37-1 pages (2^53 - 2^16 bytes).

Note: This ensures that the maximum size of a memory's buffer is representable as a [=safe integer=]. This is enforced at runtime because the WebAssembly spec does not allow implementations to restrict the size of memory during validation.
</li>
</ul>

<h2 id="security-considerations">Security and Privacy Considerations</h2>
Expand Down
66 changes: 45 additions & 21 deletions test/js-api/limits.any.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@
// META: script=/wasm/jsapi/wasm-module-builder.js
// META: timeout=long

// Static limits
// Compile-time limits
const kJSEmbeddingMaxTypes = 1000000;
const kJSEmbeddingMaxFunctions = 1000000;
const kJSEmbeddingMaxImports = 1000000;
const kJSEmbeddingMaxExports = 1000000;
const kJSEmbeddingMaxGlobals = 1000000;
const kJSEmbeddingMaxTags = 1000000;
const kJSEmbeddingMaxDataSegments = 100000;

const kJSEmbeddingMaxModuleSize = 1024 * 1024 * 1024; // = 1 GiB
Expand All @@ -16,11 +17,14 @@ const kJSEmbeddingMaxFunctionLocals = 50000;
const kJSEmbeddingMaxFunctionParams = 1000;
const kJSEmbeddingMaxFunctionReturns = 1000;
const kJSEmbeddingMaxElementSegments = 10000000;
const kJSEmbeddingMaxElementsInSegment = 10000000;
const kJSEmbeddingMaxTables = 100000;
const kJSEmbeddingMaxMemories = 1;
const kJSEmbeddingMaxMemories = 100;
const kJSEmbeddingMaxStructFields = 10000;
const kJSEmbeddingMaxSubtypeDepth = 63;

// Dynamic limits
const kJSEmbeddingMaxTableSize = 10000000;
// Runtime limits for memories and tables are primarily tested elsewhere.
const kJSEmbeddingMaxTable32Size = 10000000;

// This function runs the {gen} function with the values {min}, {limit}, and
// {limit+1}, assuming that values below and including the limit should
Expand Down Expand Up @@ -170,6 +174,39 @@ testLimit("memories", 0, kJSEmbeddingMaxMemories, (builder, count) => {
}
});

testLimit("tags", 0, kJSEmbeddingMaxTags, (builder, count) => {
const type = builder.addType(kSig_v_v);
for (let i = 0; i < count; i++) {
builder.addTag(type);
}
});

testLimit("struct fields", 0, kJSEmbeddingMaxStructFields, (builder, count) => {
const fields = [];
for (let i = 0; i < count; i++) {
fields.push(makeField(kWasmI32, true));
}
builder.addStruct(fields);
});

testLimit("subtype depth", 0, kJSEmbeddingMaxSubtypeDepth, (builder, count) => {
// Create a chain of struct subtypes: depth 0 (no supertype),
// then depth 1 through count (each extending the previous).
builder.addStruct([makeField(kWasmI32, true)], kNoSuperType, false);
for (let i = 1; i <= count; i++) {
builder.addStruct([makeField(kWasmI32, true)], i - 1, false);
}
});

testLimit("elements in element segment", 0, kJSEmbeddingMaxElementsInSegment,
(builder, count) => {
const type = builder.addType(kSig_v_v);
builder.addFunction(undefined, type).addBody([]);
builder.setTableBounds(1, 1);
const array = new Array(count).fill(0);
builder.addElementSegment(0, false, false, array);
});

const instantiationShouldFail = 1;
const instantiationShouldSucceed = 2;
// This function tries to compile and instantiate the module produced
Expand Down Expand Up @@ -197,14 +234,13 @@ function testDynamicLimit(name, instantiationResult, imports, gen) {
assert_throws(new RangeError(),
() => new WebAssembly.Instance(compiled_module, imports));
} else if (instantiationResult == instantiationShouldSucceed) {
const instance = new WebAssembly.Instance(compiled_module, imports);
assertEquals(-1, instance.exports.grow());
const instance = new WebAssembly.Instance(compiled_module, imports);
assertEquals(-1, instance.exports.grow());
}
}, `Instantiate ${name} over limit`);

promise_test(t => {
if (instantiationResult == instantiationShouldFail) {
return Promise.resolve();
return promise_rejects(t, new RangeError(),
WebAssembly.instantiate(buffer, imports));
} else if (instantiationResult == instantiationShouldSucceed) {
Expand All @@ -217,12 +253,12 @@ function testDynamicLimit(name, instantiationResult, imports, gen) {
}

testDynamicLimit("initial table size", instantiationShouldFail, {}, (builder) => {
builder.setTableBounds(kJSEmbeddingMaxTableSize + 1, undefined);
builder.setTableBounds(kJSEmbeddingMaxTable32Size + 1, undefined);
});

testDynamicLimit(
"maximum table size", instantiationShouldSucceed, {}, (builder) => {
builder.setTableBounds(1, kJSEmbeddingMaxTableSize + 1);
builder.setTableBounds(1, kJSEmbeddingMaxTable32Size + 1);
// table.grow requires the reference types proposal. Instead we just
// return -1.
builder.addFunction("grow", kSig_i_v)
Expand All @@ -232,18 +268,6 @@ testDynamicLimit(
.exportFunc();
});

test(() => {
assert_throws(
new RangeError(),
() => new WebAssembly.Table(
{element : "anyfunc", initial : kJSEmbeddingMaxTableSize + 1}));

let memory = new WebAssembly.Table(
{initial : 1, maximum : kJSEmbeddingMaxTableSize + 1, element: "anyfunc"});
assert_throws(new RangeError(),
() => memory.grow(kJSEmbeddingMaxTableSize));
}, `Grow WebAssembly.Table object beyond the embedder-defined limit`);

function testModuleSizeLimit(size, expectPass) {
// We do not use `testLimit` here to avoid OOMs due to having multiple big
// modules alive at the same time.
Expand Down
1 change: 1 addition & 0 deletions test/js-api/memory/grow-memory64.any.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
// META: global=window,dedicatedworker,jsshell
// META: script=/wasm/jsapi/assertions.js
// META: script=/wasm/jsapi/memory/assertions.js

test(() => {
Expand Down
48 changes: 48 additions & 0 deletions test/js-api/memory/limits-memory64.any.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// META: global=window,dedicatedworker,jsshell
// META: script=/wasm/jsapi/assertions.js
// META: script=/wasm/jsapi/memory/assertions.js

const kJSEmbeddingMemoryTypeSizeLimit = 2n**37n - 1n;
const kJSEmbeddingMaxMemory64Size = 262144n; // pages (16 GiB)

test(() => {
const memory = new WebAssembly.Memory(
{address: "i64",
initial: 1n,
maximum: kJSEmbeddingMaxMemory64Size});
assert_Memory(memory, { "size": 1, "address": "i64" });
}, `Create WebAssembly.Memory with maximum size at the runtime limit (i64)`);

test(() => {
assert_throws(
new RangeError(),
() => new WebAssembly.Memory(
{address: "i64",
initial: kJSEmbeddingMaxMemory64Size + 1n}));
}, `Create WebAssembly.Memory with initial size over the runtime limit (i64)`);

test(() => {
const mem = new WebAssembly.Memory(
{address: "i64",
initial: 1n,
maximum: kJSEmbeddingMaxMemory64Size + 1n});
assert_throws(
new RangeError(),
() => mem.grow(kJSEmbeddingMaxMemory64Size));
}, `Grow WebAssembly.Memory beyond the runtime limit (i64)`);

test(() => {
const memory = new WebAssembly.Memory(
{address: "i64",
initial: 0n,
maximum: kJSEmbeddingMemoryTypeSizeLimit});
assert_Memory(memory, { "size": 0, "address": "i64" });
}, "Maximum at memory type size limit (i64)");

test(() => {
assert_throws_js(RangeError,
() => new WebAssembly.Memory(
{address: "i64",
initial: 0n,
maximum: kJSEmbeddingMemoryTypeSizeLimit + 1n}));
}, "Maximum over memory type size limit (i64)");
30 changes: 30 additions & 0 deletions test/js-api/memory/limits.any.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
// META: global=window,dedicatedworker,jsshell
// META: script=/wasm/jsapi/memory/assertions.js

// For memory32 the maximum size is the upper bound on Int32, so we cannot
// really test out-of-bounds values the same way we can for memory64.

const kJSEmbeddingMaxMemory32Size = 65536; // pages (4 GiB)

test(() => {
const memory = new WebAssembly.Memory(
{initial: 1,
maximum: kJSEmbeddingMaxMemory32Size});
assert_Memory(memory, { "size": 1 });
}, `Create WebAssembly.Memory with maximum size at the runtime limit`);

test(() => {
assert_throws(
new RangeError(),
() => new WebAssembly.Memory(
{initial: kJSEmbeddingMaxMemory32Size + 1}));
}, `Create WebAssembly.Memory with initial size out of bounds`);

test(() => {
const mem = new WebAssembly.Memory(
{initial: 1,
maximum: kJSEmbeddingMaxMemory32Size});
assert_throws(
new RangeError(),
() => mem.grow(kJSEmbeddingMaxMemory32Size));
}, `Grow WebAssembly.Memory beyond the runtime limit`);
31 changes: 31 additions & 0 deletions test/js-api/table/limits-memory64.any.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
// META: global=window,dedicatedworker,jsshell
// META: script=/wasm/jsapi/table/assertions.js

// Same limit as table32
const kJSEmbeddingMaxTable64Size = 10000000n;

test(() => {
const table = new WebAssembly.Table(
{address: "i64",
element: "anyfunc",
initial: 1n, maximum: kJSEmbeddingMaxTable64Size + 1n});
assert_Table(table, { length: 1n }, "i64")
}, `Create WebAssembly.Table with maximum size at the runtime limit (i64)`);

test(() => {
assert_throws(
new RangeError(),
() => new WebAssembly.Table(
{address: "i64",
element: "anyfunc",
initial: kJSEmbeddingMaxTable64Size + 1n}));
}, `Create WebAssembly.Table with initial size over the runtime limit (i64)`);

test(() => {
let table = new WebAssembly.Table(
{address: "i64",
element: "anyfunc",
initial: 1n, maximum: kJSEmbeddingMaxTable64Size + 1n});
assert_throws(new RangeError(),
() => table.grow(kJSEmbeddingMaxTable64Size));
}, `Grow WebAssembly.Table object beyond the runtime limit (i64)`);
25 changes: 25 additions & 0 deletions test/js-api/table/limits.any.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
// META: global=window,dedicatedworker,jsshell
// META: script=/wasm/jsapi/table/assertions.js

const kJSEmbeddingMaxTable32Size = 10000000;

test(() => {
const table = new WebAssembly.Table(
{element: "anyfunc", initial: 1, maximum: kJSEmbeddingMaxTable32Size + 1});
assert_Table(table, { length: 1 })
}, `Create WebAssembly.Table with maximum size at the runtime limit`);

test(() => {
assert_throws(
new RangeError(),
() => new WebAssembly.Table(
{element: "anyfunc", initial: kJSEmbeddingMaxTable32Size + 1}));
}, `Create WebAssembly.Table with initial size over the runtime limit`);

test(() => {
let table = new WebAssembly.Table(
{element: "anyfunc", initial: 1,
maximum: kJSEmbeddingMaxTable32Size + 1});
assert_throws(new RangeError(),
() => table.grow(kJSEmbeddingMaxTable32Size));
}, `Grow WebAssembly.Table object beyond the runtime limit`);