[wasm] Fix undefined behavior in WebAssembly.Table.grow.

R=clemensh@chromium.org TEST=mjsunit/regress/regress-crbug-772056 BUG=chromium:772056 Change-Id: I199262aa128ab395382520b1439ecc60ed141d4a Reviewed-on: https://chromium-review.googlesource.com/704582Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#48341}

[wasm] Fix undefined behavior in WebAssembly.Table.grow.
R=clemensh@chromium.org TEST=mjsunit/regress/regress-crbug-772056 BUG=chromium:772056 Change-Id: I199262aa128ab395382520b1439ecc60ed141d4a Reviewed-on: https://chromium-review.googlesource.com/704582Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#48341}
158dbb8b · Michael Starzinger · Commit Bot · a410a48f · 158dbb8b · 158dbb8b
Commit 158dbb8b authored Oct 06, 2017 by Michael Starzinger Committed by Commit Bot Oct 06, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 7 deletions

wasm-js.cc src/wasm/wasm-js.cc +6 -7

regress-crbug-772056.js test/mjsunit/regress/regress-crbug-772056.js +17 -0

No files found.
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -665,26 +665,25 @@ void WebAssemblyTableGrow(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Local<Context> context = isolate->GetCurrentContext();
  EXTRACT_THIS(receiver, WasmTableObject);

-  int64_t new_size64 = 0;
-  if (args.Length() > 0 && !args[0]->IntegerValue(context).To(&new_size64)) {
+  int64_t grow_by = 0;
+  if (args.Length() > 0 && !args[0]->IntegerValue(context).To(&grow_by)) {
    return;
  }
  i::Handle<i::FixedArray> old_array(receiver->functions(), i_isolate);
  int old_size = old_array->length();
-  new_size64 += old_size;

  int64_t max_size64 = receiver->maximum_length()->Number();
  if (max_size64 < 0 || max_size64 > i::FLAG_wasm_max_table_size) {
    max_size64 = i::FLAG_wasm_max_table_size;
  }

-  if (new_size64 < old_size || new_size64 > max_size64) {
-    thrower.RangeError(new_size64 < old_size ? "trying to shrink table"
-                                             : "maximum table size exceeded");
+  if (grow_by < 0 || grow_by > max_size64 - old_size) {
+    thrower.RangeError(grow_by < 0 ? "trying to shrink table"
+                                   : "maximum table size exceeded");
    return;
  }

-  int new_size = static_cast<int>(new_size64);
+  int new_size = static_cast<int>(old_size + grow_by);
  receiver->Grow(i_isolate, static_cast<uint32_t>(new_size - old_size));

  if (new_size != old_size) {

--- a/test/mjsunit/regress/regress-crbug-772056.js
+++ b/test/mjsunit/regress/regress-crbug-772056.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+var builder = new WasmModuleBuilder();
+builder.addImportedTable("x", "table", 1, 10000000);
+let module = new WebAssembly.Module(builder.toBuffer());
+let table = new WebAssembly.Table({element: "anyfunc",
+  initial: 1, maximum:1000000});
+let instance = new WebAssembly.Instance(module, {x: {table:table}});
+
+assertThrows(() => table.grow(Infinity), RangeError);