Commit 66031274 authored by Jakob Kummerow's avatar Jakob Kummerow Committed by Commit Bot

[wasm-gc] Reject WasmGC <-> JavaScript interaction

We used to expose raw WasmGC objects via the JS interface and made
use of that in our cctests. Since those objects would cause crashes
when used in JavaScript, this patch prevents such interactions, and
migrates the tests to use the C-Wasm interface instead.

Bug: v8:7748
Change-Id: I76a10663cda43c940c8c22c57c14922be9b05134
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2284497
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarClemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68725}
parent 1043f49d
...@@ -5389,8 +5389,8 @@ Node* WasmGraphBuilder::RttSub(wasm::HeapType type, Node* parent_rtt) { ...@@ -5389,8 +5389,8 @@ Node* WasmGraphBuilder::RttSub(wasm::HeapType type, Node* parent_rtt) {
} }
Node* WasmGraphBuilder::RefTest(Node* object, Node* rtt) { Node* WasmGraphBuilder::RefTest(Node* object, Node* rtt) {
Node* map = Node* map = gasm_->Load(MachineType::TaggedPointer(), object,
gasm_->Load(MachineType::TaggedPointer(), object, HeapObject::kMapOffset); HeapObject::kMapOffset - kHeapObjectTag);
// TODO(7748): Add a fast path for map == rtt. // TODO(7748): Add a fast path for map == rtt.
return BuildChangeSmiToInt32(CALL_BUILTIN( return BuildChangeSmiToInt32(CALL_BUILTIN(
WasmIsRttSubtype, map, rtt, WasmIsRttSubtype, map, rtt,
...@@ -5399,12 +5399,12 @@ Node* WasmGraphBuilder::RefTest(Node* object, Node* rtt) { ...@@ -5399,12 +5399,12 @@ Node* WasmGraphBuilder::RefTest(Node* object, Node* rtt) {
Node* WasmGraphBuilder::RefCast(Node* object, Node* rtt, Node* WasmGraphBuilder::RefCast(Node* object, Node* rtt,
wasm::WasmCodePosition position) { wasm::WasmCodePosition position) {
Node* map = Node* map = gasm_->Load(MachineType::TaggedPointer(), object,
gasm_->Load(MachineType::TaggedPointer(), object, HeapObject::kMapOffset); HeapObject::kMapOffset - kHeapObjectTag);
// TODO(7748): Add a fast path for map == rtt. // TODO(7748): Add a fast path for map == rtt.
Node* check_result = CALL_BUILTIN( Node* check_result = BuildChangeSmiToInt32(CALL_BUILTIN(
WasmIsRttSubtype, map, rtt, WasmIsRttSubtype, map, rtt,
LOAD_INSTANCE_FIELD(NativeContext, MachineType::TaggedPointer())); LOAD_INSTANCE_FIELD(NativeContext, MachineType::TaggedPointer())));
TrapIfFalse(wasm::kTrapIllegalCast, check_result, position); TrapIfFalse(wasm::kTrapIllegalCast, check_result, position);
return object; return object;
} }
...@@ -5746,15 +5746,22 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder { ...@@ -5746,15 +5746,22 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
case wasm::ValueType::kF64: case wasm::ValueType::kF64:
return BuildChangeFloat64ToNumber(node); return BuildChangeFloat64ToNumber(node);
case wasm::ValueType::kRef: case wasm::ValueType::kRef:
case wasm::ValueType::kOptRef: case wasm::ValueType::kOptRef: {
uint32_t representation = type.heap_representation();
if (representation == wasm::HeapType::kExtern ||
representation == wasm::HeapType::kExn ||
representation == wasm::HeapType::kFunc) {
return node;
}
// TODO(7748): Figure out a JS interop story for arrays and structs.
// If this is reached, then IsJSCompatibleSignature() is too permissive.
UNREACHABLE();
}
case wasm::ValueType::kRtt: case wasm::ValueType::kRtt:
// TODO(7748): Implement properly for arrays and structs, figure // TODO(7748): Figure out what to do for RTTs.
// out what to do for RTTs. UNIMPLEMENTED();
// For now, we just expose the raw object for testing.
return node;
case wasm::ValueType::kI8: case wasm::ValueType::kI8:
case wasm::ValueType::kI16: case wasm::ValueType::kI16:
UNIMPLEMENTED();
case wasm::ValueType::kStmt: case wasm::ValueType::kStmt:
case wasm::ValueType::kBottom: case wasm::ValueType::kBottom:
UNREACHABLE(); UNREACHABLE();
...@@ -5831,6 +5838,8 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder { ...@@ -5831,6 +5838,8 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
return input; return input;
} }
default: default:
// If this is reached, then IsJSCompatibleSignature() is too
// permissive.
UNREACHABLE(); UNREACHABLE();
} }
} }
......
...@@ -38,6 +38,18 @@ bool IsJSCompatibleSignature(const FunctionSig* sig, ...@@ -38,6 +38,18 @@ bool IsJSCompatibleSignature(const FunctionSig* sig,
} }
if (type == kWasmS128) return false; if (type == kWasmS128) return false;
if (type.kind() == wasm::ValueType::kRef ||
type.kind() == wasm::ValueType::kOptRef) {
uint32_t representation = type.heap_representation();
// TODO(7748): Once there's a story for JS interop for struct/array types,
// allow them here.
if (!(representation == HeapType::kExtern ||
representation == HeapType::kExn ||
representation == HeapType::kFunc)) {
return false;
}
}
} }
return true; return true;
} }
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment