Commit 0e9e8164 authored by Sven Sauleau's avatar Sven Sauleau Committed by Commit Bot

[wasm] fix js-api table/get-set

Fix WebAssembly's table/get-set js-api. The argument is a unsigned long,
this change refactors most of arithmetic and bounds checks type from
int64 to uint32_t, according to the spec.

Bug: v8:8319
Change-Id: I088f631c6805b0e5ba29089b08ea15e78fe5852d
Cq-Include-Trybots: luci.chromium.try:linux-blink-rel
Reviewed-on: https://chromium-review.googlesource.com/c/1414914Reviewed-by: 's avatarAdam Klein <adamk@chromium.org>
Reviewed-by: 's avatarDeepti Gandluri <gdeepti@chromium.org>
Commit-Queue: Sven Sauleau <ssauleau@igalia.com>
Cr-Commit-Position: refs/heads/master@{#58941}
parent 6c15e478
......@@ -1385,8 +1385,10 @@ void WebAssemblyTableSet(const v8::FunctionCallbackInfo<v8::Value>& args) {
EXTRACT_THIS(receiver, WasmTableObject);
// Parameter 0.
int64_t index;
if (!args[0]->IntegerValue(context).To(&index)) return;
uint32_t index;
if (!EnforceUint32("Argument 0", args[0], context, &thrower, &index)) {
return;
}
// Parameter 1.
i::Handle<i::Object> value = Utils::OpenHandle(*args[1]);
......@@ -1396,12 +1398,12 @@ void WebAssemblyTableSet(const v8::FunctionCallbackInfo<v8::Value>& args) {
return;
}
if (index < 0 || index >= receiver->functions()->length()) {
if (index >= static_cast<uint64_t>(receiver->functions()->length())) {
thrower.RangeError("index out of bounds");
return;
}
i::WasmTableObject::Set(i_isolate, receiver, static_cast<int32_t>(index),
i::WasmTableObject::Set(i_isolate, receiver, index,
value->IsNull(i_isolate)
? i::Handle<i::JSFunction>::null()
: i::Handle<i::JSFunction>::cast(value));
......
......@@ -844,7 +844,7 @@ void WasmTableObject::Grow(Isolate* isolate, uint32_t count) {
}
void WasmTableObject::Set(Isolate* isolate, Handle<WasmTableObject> table,
int32_t table_index, Handle<JSFunction> function) {
uint32_t table_index, Handle<JSFunction> function) {
Handle<FixedArray> array(table->functions(), isolate);
if (function.is_null()) {
ClearDispatchTables(isolate, table, table_index); // Degenerate case.
......
......@@ -277,7 +277,7 @@ class WasmTableObject : public JSObject {
int table_index);
static void Set(Isolate* isolate, Handle<WasmTableObject> table,
int32_t index, Handle<JSFunction> function);
uint32_t index, Handle<JSFunction> function);
static void UpdateDispatchTables(Isolate* isolate,
Handle<WasmTableObject> table,
......
......@@ -652,7 +652,7 @@ assertErrorMessage(
assertErrorMessage(
() => get.call({}), TypeError, /called on incompatible Object/);
assertErrorMessage(
() => get.call(tbl1), TypeError, /Argument 0 must be convertible to a valid number/);
() => get.call(tbl1), TypeError, /must be convertible to a valid number/);
assertEq(get.call(tbl1, 0), null);
assertEq(get.call(tbl1, 0, Infinity), null);
assertEq(get.call(tbl1, 1), null);
......@@ -687,14 +687,14 @@ assertErrorMessage(
assertErrorMessage(
() => set.call(tbl1, 2, null), RangeError, /bad Table set index/);
assertErrorMessage(
() => set.call(tbl1, -1, null), RangeError, /bad Table set index/);
() => set.call(tbl1, -1, null), TypeError, /bad Table set index/);
assertErrorMessage(
() => set.call(tbl1, Math.pow(2, 33), null), RangeError,
() => set.call(tbl1, Math.pow(2, 33), null), TypeError,
/bad Table set index/);
assertErrorMessage(
() => set.call(tbl1, Infinity, null), RangeError, /bad Table set index/);
() => set.call(tbl1, Infinity, null), TypeError, /bad Table set index/);
assertErrorMessage(
() => set.call(tbl1, -Infinity, null), RangeError, /bad Table set index/);
() => set.call(tbl1, -Infinity, null), TypeError, /bad Table set index/);
assertErrorMessage(
() => set.call(tbl1, 0, undefined), TypeError,
/can only assign WebAssembly exported functions to Table/);
......@@ -714,7 +714,9 @@ assertErrorMessage(
'hai');
assertEq(set.call(tbl1, 0, null), undefined);
assertEq(set.call(tbl1, 1, null), undefined);
assertEq(set.call(tbl1, undefined, null), undefined);
assertErrorMessage(
() => set.call(tbl1, undefined, null), TypeError,
/must be convertible to a valid number/);
// 'WebAssembly.Table.prototype.grow' data property
let tblGrowDesc = Object.getOwnPropertyDescriptor(tableProto, 'grow');
......
......@@ -179,14 +179,19 @@ function assertTableIsValid(table, length) {
assertSame(undefined, table[i]);
}
for (let key of [0.4, "", NaN, {}, [], () => {}]) {
for (let key of [0.4, "", []]) {
assertSame(undefined, table.set(0, null));
assertSame(undefined, table.set(key, f));
assertSame(f, table.get(0));
assertSame(undefined, table[key]);
}
for (let key of [NaN, {}, () => {}]) {
assertSame(undefined, table[key]);
assertThrows(() => table.set(key, f), TypeError);
}
for (let key of [-1, table.length, table.length * 10]) {
assertThrows(() => table.set(-1, f), TypeError);
for (let key of [table.length, table.length * 10]) {
assertThrows(() => table.set(key, f), RangeError);
}
......
......@@ -6,7 +6,6 @@
[ALWAYS, {
# https://bugs.chromium.org/p/v8/issues/detail?id=8319
'memory/grow': [FAIL],
'table/get-set': [FAIL],
'module/customSections': [FAIL],
}], # ALWAYS
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment