Commit 54818a63 authored by Michael Starzinger's avatar Michael Starzinger Committed by Commit Bot

[asm.js] Fix failure propagation of heap access validation.

This fixes propagation of validation failures that happen during the
validation of a heap access expression in {ValidateHeapAccess}.

R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-714971
BUG=chromium:714971

Change-Id: I8f91ac1da34ae50fdde2938f61b6468cdac92b6e
Reviewed-on: https://chromium-review.googlesource.com/486801Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44851}
parent c326e73d
...@@ -1425,7 +1425,8 @@ AsmType* AsmJsParser::CallExpression() { ...@@ -1425,7 +1425,8 @@ AsmType* AsmJsParser::CallExpression() {
// 6.8.5 MemberExpression // 6.8.5 MemberExpression
AsmType* AsmJsParser::MemberExpression() { AsmType* AsmJsParser::MemberExpression() {
call_coercion_ = nullptr; call_coercion_ = nullptr;
ValidateHeapAccess(); RECURSEn(ValidateHeapAccess());
DCHECK_NOT_NULL(heap_access_type_);
if (Peek('=')) { if (Peek('=')) {
inside_heap_assignment_ = true; inside_heap_assignment_ = true;
return heap_access_type_->StoreType(); return heap_access_type_->StoreType();
...@@ -1452,6 +1453,7 @@ AsmType* AsmJsParser::AssignmentExpression() { ...@@ -1452,6 +1453,7 @@ AsmType* AsmJsParser::AssignmentExpression() {
FAILn("Invalid assignment target"); FAILn("Invalid assignment target");
} }
inside_heap_assignment_ = false; inside_heap_assignment_ = false;
DCHECK_NOT_NULL(heap_access_type_);
AsmType* heap_type = heap_access_type_; AsmType* heap_type = heap_access_type_;
EXPECT_TOKENn('='); EXPECT_TOKENn('=');
AsmType* value; AsmType* value;
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function Module(stdlib, foreign, heap) {
"use asm";
var a = new stdlib.Int16Array(heap);
function f() {
return a[23 >> -1];
}
return { f:f };
}
var b = new ArrayBuffer(1024);
var m = Module(this, {}, b);
new Int16Array(b)[0] = 42;
assertEquals(42, m.f());
assertFalse(%IsAsmWasmCode(Module));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment