[wasm] Make experimentalConvertArrayToString fuzzer-proof

Non-well-behaved test cases may pass too few arguments. The builtins shouldn't attempt to inspect arguments that aren't there. Not bothering with a regression test because these experimental builtins are probably short-lived at this point anyway. Fixed: chromium:1366881 Change-Id: Ifee8929c6a97539eac7609c64082d66cd53cec89 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916633 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83429}

[wasm] Make experimentalConvertArrayToString fuzzer-proof
Non-well-behaved test cases may pass too few arguments. The builtins shouldn't attempt to inspect arguments that aren't there. Not bothering with a regression test because these experimental builtins are probably short-lived at this point anyway. Fixed: chromium:1366881 Change-Id: Ifee8929c6a97539eac7609c64082d66cd53cec89 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3916633 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#83429}
1f89cb93 · Jakob Kummerow · V8 LUCI CQ · fcefb025 · 1f89cb93
Commit 1f89cb93 authored Sep 23, 2022 by Jakob Kummerow Committed by V8 LUCI CQ Sep 26, 2022
Show whitespace changes
Inline Side-by-side

Showing with 13 additions and 9 deletions

wasm.tq src/builtins/wasm.tq +13 -9

No files found.
--- a/src/builtins/wasm.tq
+++ b/src/builtins/wasm.tq
@@ -746,14 +746,17 @@ macro IsWord16WasmArrayMap(map: Map): bool {
 }

 // Non-standard experimental feature.
+// Arguments: array, start, count.
 transitioning javascript builtin ExperimentalWasmConvertArrayToString(
-    js-implicit context: NativeContext)(
-    array: JSAny, start: JSAny, count: JSAny): String {
+    js-implicit context: NativeContext)(...arguments): String {
  try {
-    const start = TryNumberToIntptr(start) otherwise goto InvalidArgument;
-    const count = TryNumberToIntptr(count) otherwise goto InvalidArgument;
+    if (arguments.length != 3) goto InvalidArgument;
+    const array = Cast<WasmArray>(arguments[0]) otherwise goto InvalidArgument;
+    const start = TryNumberToIntptr(arguments[1])
+        otherwise goto InvalidArgument;
+    const count = TryNumberToIntptr(arguments[2])
+        otherwise goto InvalidArgument;

-    const array = Cast<WasmArray>(array) otherwise goto InvalidArgument;
    if (!IsWord16WasmArrayMap(array.map)) goto InvalidArgument;
    const arrayContent = torque_internal::unsafe::NewConstSlice<char16>(
        array, kWasmArrayHeaderSize, Convert<intptr>(array.length));
@@ -768,16 +771,17 @@ transitioning javascript builtin ExperimentalWasmConvertArrayToString(
 }

 // Non-standard experimental feature.
+// Arguments: string, sampleArray.
 transitioning javascript builtin ExperimentalWasmConvertStringToArray(
-    js-implicit context: NativeContext)(
-    string: JSAny, sampleArray: JSAny): WasmArray {
+    js-implicit context: NativeContext)(...arguments): WasmArray {
  try {
+    if (arguments.length != 2) goto InvalidArgument;
+    const string = Cast<String>(arguments[0]) otherwise goto InvalidArgument;
    const sampleArray =
-        Cast<WasmArray>(sampleArray) otherwise goto InvalidArgument;
+        Cast<WasmArray>(arguments[1]) otherwise goto InvalidArgument;
    const arrayMap = sampleArray.map;
    if (!IsWord16WasmArrayMap(arrayMap)) goto InvalidArgument;

-    const string = Cast<String>(string) otherwise goto InvalidArgument;
    const length = string.length;

    const result =