[wasm] Fix index range checking in table accessors

R=titzer@chromium.org Bug: Change-Id: Ib1a13b5131ec1b5a155c893de3c5ceb376bd33a3 Reviewed-on: https://chromium-review.googlesource.com/600227 Commit-Queue: Andreas Rossberg <rossberg@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47139}

[wasm] Fix index range checking in table accessors
R=titzer@chromium.org Bug: Change-Id: Ib1a13b5131ec1b5a155c893de3c5ceb376bd33a3 Reviewed-on: https://chromium-review.googlesource.com/600227 Commit-Queue: Andreas Rossberg <rossberg@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#47139}
56147476 · Andreas Rossberg · Commit Bot · 292cc336 · 56147476 · 56147476
Commit 56147476 authored Aug 03, 2017 by Andreas Rossberg Committed by Commit Bot Aug 03, 2017
5 changed files
--- a/src/conversions-inl.h
+++ b/src/conversions-inl.h
@@ -179,7 +179,15 @@ uint32_t PositiveNumberToUint32(Object* number) {

 int64_t NumberToInt64(Object* number) {
  if (number->IsSmi()) return Smi::ToInt(number);
-  return static_cast<int64_t>(number->Number());
+  double d = number->Number();
+  if (std::isnan(d)) return 0;
+  if (d >= static_cast<double>(std::numeric_limits<int64_t>::max())) {
+    return std::numeric_limits<int64_t>::max();
+  }
+  if (d <= static_cast<double>(std::numeric_limits<int64_t>::min())) {
+    return std::numeric_limits<int64_t>::min();
+  }
+  return static_cast<int64_t>(d);
 }

 bool TryNumberToSize(Object* number, size_t* result) {

--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -674,15 +674,15 @@ void WebAssemblyTableGet(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Local<Context> context = isolate->GetCurrentContext();
  EXTRACT_THIS(receiver, WasmTableObject);
  i::Handle<i::FixedArray> array(receiver->functions(), i_isolate);
-  int i = 0;
-  if (args.Length() > 0 && !args[0]->Int32Value(context).To(&i)) return;
+  int64_t i = 0;
+  if (args.Length() > 0 && !args[0]->IntegerValue(context).To(&i)) return;
  v8::ReturnValue<v8::Value> return_value = args.GetReturnValue();
  if (i < 0 || i >= array->length()) {
    thrower.RangeError("index out of bounds");
    return;
  }

-  i::Handle<i::Object> value(array->get(i), i_isolate);
+  i::Handle<i::Object> value(array->get(static_cast<int>(i)), i_isolate);
  return_value.Set(Utils::ToLocal(value));
 }

@@ -701,8 +701,8 @@ void WebAssemblyTableSet(const v8::FunctionCallbackInfo<v8::Value>& args) {
  }

  // Parameter 0.
-  int32_t index;
-  if (!args[0]->Int32Value(context).To(&index)) return;
+  int64_t index;
+  if (!args[0]->IntegerValue(context).To(&index)) return;

  // Parameter 1.
  i::Handle<i::Object> value = Utils::OpenHandle(*args[1]);

--- a/src/wasm/wasm-module.cc
+++ b/src/wasm/wasm-module.cc
@@ -404,7 +404,7 @@ void wasm::UpdateDispatchTables(Isolate* isolate,


 void wasm::TableSet(ErrorThrower* thrower, Isolate* isolate,
-                    Handle<WasmTableObject> table, int32_t index,
+                    Handle<WasmTableObject> table, int64_t index,
                    Handle<JSFunction> function) {
  Handle<FixedArray> array(table->functions(), isolate);

@@ -412,6 +412,7 @@ void wasm::TableSet(ErrorThrower* thrower, Isolate* isolate,
    thrower->RangeError("index out of bounds");
    return;
  }
+  int index32 = static_cast<int>(index);

  Handle<FixedArray> dispatch_tables(table->dispatch_tables(), isolate);

@@ -425,8 +426,8 @@ void wasm::TableSet(ErrorThrower* thrower, Isolate* isolate,
    value = Handle<Object>::cast(function);
  }

-  UpdateDispatchTables(isolate, dispatch_tables, index, wasm_function, code);
-  array->set(index, *value);
+  UpdateDispatchTables(isolate, dispatch_tables, index32, wasm_function, code);
+  array->set(index32, *value);
 }

 Handle<Script> wasm::GetScript(Handle<JSObject> instance) {

--- a/src/wasm/wasm-module.h
+++ b/src/wasm/wasm-module.h
@@ -461,7 +461,7 @@ WasmFunction* GetWasmFunctionForImportWrapper(Isolate* isolate,
 Handle<Code> UnwrapImportWrapper(Handle<Object> import_wrapper);

 void TableSet(ErrorThrower* thrower, Isolate* isolate,
-              Handle<WasmTableObject> table, int32_t index,
+              Handle<WasmTableObject> table, int64_t index,
              Handle<JSFunction> function);

 void UpdateDispatchTables(Isolate* isolate, Handle<FixedArray> dispatch_tables,

--- a/test/mjsunit/wasm/jsapi-harness.js
+++ b/test/mjsunit/wasm/jsapi-harness.js
@@ -8,10 +8,6 @@
 // Flags: --expose-wasm --allow-natives-syntax

 const known_failures = {
-  "'WebAssembly.Table.prototype.get' method":
-    'https://bugs.chromium.org/p/v8/issues/detail?id=5507',
-  "'WebAssembly.Table.prototype.set' method":
-    'https://bugs.chromium.org/p/v8/issues/detail?id=5507',
  "'WebAssembly.Instance.prototype.exports' accessor property":
    'https://bugs.chromium.org/p/v8/issues/detail?id=5507',
 };