[wasm] Do a proper HasProperty() check in the memory and table setup.

The WebAssembly spec requires a HasProperty() check for the maximum property of the descriptor object which is used to set up a WebAssembly.Memory object or a WebAssembly.Table object. The original implementation only approximated the HasProperty() check. It used Get() to get the value of the maximum property of the descriptor object and compared the resulting value to {undefined}. However, this approximation is incorrect if the property exists but its value is {undefined}. R=titzer@chromium.org, franzih@chromium.org BUG=chromium:649461 TEST=mjsunit/wasm/memory Review-Url: https://codereview.chromium.org/2367673003 Cr-Commit-Position: refs/heads/master@{#39722}

[wasm] Do a proper HasProperty() check in the memory and table setup.
The WebAssembly spec requires a HasProperty() check for the maximum property of the descriptor object which is used to set up a WebAssembly.Memory object or a WebAssembly.Table object. The original implementation only approximated the HasProperty() check. It used Get() to get the value of the maximum property of the descriptor object and compared the resulting value to {undefined}. However, this approximation is incorrect if the property exists but its value is {undefined}. R=titzer@chromium.org, franzih@chromium.org BUG=chromium:649461 TEST=mjsunit/wasm/memory Review-Url: https://codereview.chromium.org/2367673003 Cr-Commit-Position: refs/heads/master@{#39722}
7bffaaac · ahaas · Commit bot · 248b7a08 · 7bffaaac · 7bffaaac
Commit 7bffaaac authored Sep 26, 2016 by ahaas Committed by Commit bot Sep 26, 2016
Show whitespace changes
Inline Side-by-side

Showing with 129 additions and 48 deletions

wasm-js.cc src/wasm/wasm-js.cc +29 -31

memory.js test/mjsunit/wasm/memory.js +50 -8

table.js test/mjsunit/wasm/table.js +50 -9

No files found.
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -312,7 +312,7 @@ bool GetIntegerProperty(v8::Isolate* isolate, ErrorThrower* thrower,
                        int upper_bound) {
  v8::MaybeLocal<v8::Value> maybe = object->Get(context, property);
  v8::Local<v8::Value> value;
-  if (maybe.ToLocal(&value) && !value->IsUndefined()) {
+  if (maybe.ToLocal(&value)) {
    int64_t number;
    if (!value->IntegerValue(context).To(&number)) return false;
    if (number < static_cast<int64_t>(lower_bound)) {
@@ -321,19 +321,13 @@ bool GetIntegerProperty(v8::Isolate* isolate, ErrorThrower* thrower,
                          number, lower_bound);
      return false;
    }
-    if (number > static_cast<int64_t>(std::numeric_limits<int>::max())) {
+    if (number > static_cast<int64_t>(upper_bound)) {
-      thrower->RangeError("Property value %" PRId64 " is out of integer range",
-                          number);
-      return false;
-    }
-    int num = static_cast<int>(number);
-    if (num > upper_bound) {
      thrower->RangeError("Property value %" PRId64
                          " is above the upper bound %d",
                          number, upper_bound);
      return false;
    }
-    *result = num;
+    *result = static_cast<int>(number);
    return true;
  }
  return false;
@@ -375,16 +369,17 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
  }
  // The descriptor's 'maximum'.
  int maximum;
-  bool has_maximum = true;
+  Local<String> maximum_key = v8_str(isolate, "maximum");
-  if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
+  Maybe<bool> has_maximum = descriptor->Has(context, maximum_key);
-                          v8_str(isolate, "maximum"), &maximum, initial,
-                          max_table_size)) {
+  if (has_maximum.IsNothing()) {
-    if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() ||
+    // There has been an exception, just return.
-        thrower.error()) {
+    return;
+  }
+  if (has_maximum.FromJust()) {
+    if (!GetIntegerProperty(isolate, &thrower, context, descriptor, maximum_key,
+                            &maximum, initial, max_table_size)) {
      return;
-    } else {
-      // There was no error, the property just does not exist.
-      has_maximum = false;
    }
  }
@@ -399,7 +394,7 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
  for (int i = 0; i < initial; ++i) fixed_array->set(i, null);
  table_obj->SetInternalField(0, *fixed_array);
  table_obj->SetInternalField(
-      1, has_maximum
+      1, has_maximum.FromJust()
             ? static_cast<i::Object*>(i::Smi::FromInt(maximum))
             : static_cast<i::Object*>(i_isolate->heap()->undefined_value()));
  i::Handle<i::Symbol> table_sym(i_isolate->native_context()->wasm_table_sym());
@@ -420,20 +415,23 @@ void WebAssemblyMemory(const v8::FunctionCallbackInfo<v8::Value>& args) {
  Local<v8::Object> descriptor = args[0]->ToObject(context).ToLocalChecked();
  // The descriptor's 'initial'.
  int initial;
-  GetIntegerProperty(isolate, &thrower, context, descriptor,
+  if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
-                     v8_str(isolate, "initial"), &initial, 0, 65536);
+                          v8_str(isolate, "initial"), &initial, 0, 65536)) {
+    return;
+  }
  // The descriptor's 'maximum'.
  int maximum;
-  bool has_maximum = true;
+  Local<String> maximum_key = v8_str(isolate, "maximum");
-  if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
+  Maybe<bool> has_maximum = descriptor->Has(context, maximum_key);
-                          v8_str(isolate, "maximum"), &maximum, initial,
-                          65536)) {
+  if (has_maximum.IsNothing()) {
-    if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() ||
+    // There has been an exception, just return.
-        thrower.error()) {
+    return;
+  }
+  if (has_maximum.FromJust()) {
+    if (!GetIntegerProperty(isolate, &thrower, context, descriptor, maximum_key,
+                            &maximum, initial, 65536)) {
      return;
-    } else {
-      // There was no error, the property just does not exist.
-      has_maximum = false;
    }
  }
  i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
@@ -448,7 +446,7 @@ void WebAssemblyMemory(const v8::FunctionCallbackInfo<v8::Value>& args) {
  i::JSArrayBuffer::SetupAllocatingData(buffer, i_isolate, size);
  memory_obj->SetInternalField(0, *buffer);
  memory_obj->SetInternalField(
-      1, has_maximum
+      1, has_maximum.FromJust()
             ? static_cast<i::Object*>(i::Smi::FromInt(maximum))
             : static_cast<i::Object*>(i_isolate->heap()->undefined_value()));
  i::Handle<i::Symbol> memory_sym(

--- a/test/mjsunit/wasm/memory.js
+++ b/test/mjsunit/wasm/memory.js
@@ -8,6 +8,13 @@
 var outOfUint32RangeValue = 1e12;
+function assertMemoryIsValid(memory) {
+  assertSame(WebAssembly.Memory.prototype, memory.__proto__);
+  assertSame(WebAssembly.Memory, memory.constructor);
+  assertTrue(memory instanceof Object);
+  assertTrue(memory instanceof WebAssembly.Memory);
+}
 (function TestConstructor() {
  assertTrue(WebAssembly.Memory instanceof Function);
  assertSame(WebAssembly.Memory, WebAssembly.Memory.prototype.constructor);
@@ -28,18 +35,53 @@ var outOfUint32RangeValue = 1e12;
  assertThrows(() => new WebAssembly.Memory({initial: 10, maximum: 9}), RangeError);
  let memory = new WebAssembly.Memory({initial: 1});
-  assertSame(WebAssembly.Memory.prototype, memory.__proto__);
+  assertMemoryIsValid(memory);
-  assertSame(WebAssembly.Memory, memory.constructor);
-  assertTrue(memory instanceof Object);
-  assertTrue(memory instanceof WebAssembly.Memory);
 })();
 (function TestConstructorWithMaximum() {
  let memory = new WebAssembly.Memory({initial: 1, maximum: 10});
-  assertSame(WebAssembly.Memory.prototype, memory.__proto__);
+  assertMemoryIsValid(memory);
-  assertSame(WebAssembly.Memory, memory.constructor);
+})();
-  assertTrue(memory instanceof Object);
-  assertTrue(memory instanceof WebAssembly.Memory);
+(function TestInitialIsUndefined() {
+  // New memory with initial = undefined, which means initial = 0.
+  let memory = new WebAssembly.Memory({initial: undefined});
+  assertMemoryIsValid(memory);
+})();
+(function TestMaximumIsUndefined() {
+  // New memory with maximum = undefined, which means maximum = 0.
+  let memory = new WebAssembly.Memory({initial: 0, maximum: undefined});
+  assertMemoryIsValid(memory);
+})();
+(function TestMaximumIsReadOnce() {
+  var a = true;
+  var desc = {initial: 10};
+  Object.defineProperty(desc, 'maximum', {get: function() {
+    if (a) {
+      a = false;
+      return 16;
+    }
+    else {
+      // Change the return value on the second call so it throws.
+      return -1;
+    }
+  }});
+  let memory = new WebAssembly.Memory(desc);
+  assertMemoryIsValid(memory);
+})();
+(function TestMaximumDoesHasProperty() {
+  var hasPropertyWasCalled = false;
+  var desc = {initial: 10};
+  var proxy = new Proxy({maximum: 16}, {
+    has: function(target, name) { hasPropertyWasCalled = true; }
+  });
+  Object.setPrototypeOf(desc, proxy);
+  let memory = new WebAssembly.Memory(desc);
+  assertMemoryIsValid(memory);
+  assertTrue(hasPropertyWasCalled);
 })();
 (function TestBuffer() {

--- a/test/mjsunit/wasm/table.js
+++ b/test/mjsunit/wasm/table.js
@@ -9,6 +9,13 @@
 var outOfUint32RangeValue = 1e12;
 var int32ButOob = 1073741824;
+function assertTableIsValid(table) {
+  assertSame(WebAssembly.Table.prototype, table.__proto__);
+  assertSame(WebAssembly.Table, table.constructor);
+  assertTrue(table instanceof Object);
+  assertTrue(table instanceof WebAssembly.Table);
+}
 (function TestConstructor() {
  assertTrue(WebAssembly.Table instanceof Function);
  assertSame(WebAssembly.Table, WebAssembly.Table.prototype.constructor);
@@ -39,16 +46,50 @@ var int32ButOob = 1073741824;
  assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 0, maximum: int32ButOob}));
  let table = new WebAssembly.Table({element: "anyfunc", initial: 1});
-  assertSame(WebAssembly.Table.prototype, table.__proto__);
+  assertTableIsValid(table);
-  assertSame(WebAssembly.Table, table.constructor);
-  assertTrue(table instanceof Object);
-  assertTrue(table instanceof WebAssembly.Table);
 })();
 (function TestConstructorWithMaximum() {
-  let table = new WebAssembly.Table({element: "anyfunc", initial: 1, maximum: 10});
+  let table = new WebAssembly.Table({element: "anyfunc", maximum: 10});
-  assertSame(WebAssembly.Table.prototype, table.__proto__);
+  assertTableIsValid(table);
-  assertSame(WebAssembly.Table, table.constructor);
+})();
-  assertTrue(table instanceof Object);
-  assertTrue(table instanceof WebAssembly.Table);
+(function TestInitialIsUndefined() {
+  // New memory with initial = undefined, which means initial = 0.
+  let table = new WebAssembly.Table({element: "anyfunc", initial: undefined});
+  assertTableIsValid(table);
+})();
+(function TestMaximumIsUndefined() {
+  // New memory with maximum = undefined, which means maximum = 0.
+  let table = new WebAssembly.Table({element: "anyfunc", initial: 0, maximum: undefined});
+  assertTableIsValid(table);
+})();
+(function TestMaximumIsReadOnce() {
+  var a = true;
+  var desc = {element: "anyfunc", initial: 10};
+  Object.defineProperty(desc, 'maximum', {get: function() {
+    if (a) {
+      a = false;
+      return 16;
+    }
+    else {
+      // Change the return value on the second call so it throws.
+      return -1;
+    }
+  }});
+  let table = new WebAssembly.Table(desc);
+  assertTableIsValid(table);
+})();
+(function TestMaximumDoesHasProperty() {
+  var hasPropertyWasCalled = false;
+  var desc = {element: "anyfunc", initial: 10};
+  var proxy = new Proxy({maximum: 16}, {
+    has: function(target, name) { hasPropertyWasCalled = true; }
+  });
+  Object.setPrototypeOf(desc, proxy);
+  let table = new WebAssembly.Table(desc);
+  assertTableIsValid(table);
 })();