[asm] Disallow duplicate parameter names

According to the spec, the three parameters (stdlib, foreign, and heap) must be mutually distinct. We did not check this yet, which led to observable differences between asm validation and standard JavaScript semantics. R=thibaudm@chromium.org Bug: chromium:1068355 Change-Id: I451f63d10ea50474aeb6e8a547918b5af769343b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244408 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#77554}

[asm] Disallow duplicate parameter names
According to the spec, the three parameters (stdlib, foreign, and heap) must be mutually distinct. We did not check this yet, which led to observable differences between asm validation and standard JavaScript semantics. R=thibaudm@chromium.org Bug: chromium:1068355 Change-Id: I451f63d10ea50474aeb6e8a547918b5af769343b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244408 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#77554}
4ea30516 · Clemens Backes · V8 LUCI CQ · bf327cb4 · 4ea30516 · 4ea30516
Commit 4ea30516 authored Oct 26, 2021 by Clemens Backes Committed by V8 LUCI CQ Oct 26, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 0 deletions

asm-parser.cc src/asmjs/asm-parser.cc +6 -0

asm-validation.js test/mjsunit/asm/asm-validation.js +36 -0

No files found.
--- a/src/asmjs/asm-parser.cc
+++ b/src/asmjs/asm-parser.cc
@@ -398,12 +398,18 @@ void AsmJsParser::ValidateModuleParameters() {
        FAIL("Expected foreign parameter");
      }
      foreign_name_ = Consume();
+      if (stdlib_name_ == foreign_name_) {
+        FAIL("Duplicate parameter name");
+      }
      if (!Peek(')')) {
        EXPECT_TOKEN(',');
        if (!scanner_.IsGlobal()) {
          FAIL("Expected heap parameter");
        }
        heap_name_ = Consume();
+        if (heap_name_ == stdlib_name_ || heap_name_ == foreign_name_) {
+          FAIL("Duplicate parameter name");
+        }
      }
    }
  }

--- a/test/mjsunit/asm/asm-validation.js
+++ b/test/mjsunit/asm/asm-validation.js
@@ -497,3 +497,39 @@ function assertValidAsm(func) {
  var props = Object.getOwnPropertyNames(m);
  assertEquals(["a","b","x","c","d"], props);
 })();
+
+(function TestDuplicateParameterName() {
+  function module1(x, x, heap) {
+    'use asm';
+    return {};
+  }
+  module1({}, {}, new ArrayBuffer(4096));
+  assertFalse(%IsAsmWasmCode(module1));
+
+  function module2(x, ffi, x) {
+    'use asm';
+    return {};
+  }
+  module2({}, {}, new ArrayBuffer(4096));
+  assertFalse(%IsAsmWasmCode(module2));
+
+  function module3(stdlib, x, x) {
+    'use asm';
+    return {};
+  }
+  module3({}, {}, new ArrayBuffer(4096));
+  assertFalse(%IsAsmWasmCode(module3));
+
+  // Regression test for https://crbug.com/1068355.
+  function regress1068355(ffi, ffi, heap) {
+    'use asm';
+    var result = new ffi.Uint8Array(heap);
+    function bar() {}
+    return {f: bar};
+  }
+  let heap = new ArrayBuffer(4096);
+  assertThrows(
+      () => regress1068355({Uint8Array: Uint8Array}, {}, heap), TypeError,
+      /Uint8Array is not a constructor/);
+  assertFalse(%IsAsmWasmCode(regress1068355));
+})();