Commit 7bffaaac authored by ahaas's avatar ahaas Committed by Commit bot

[wasm] Do a proper HasProperty() check in the memory and table setup.

The WebAssembly spec requires a HasProperty() check for the maximum
property of the descriptor object which is used to set up a
WebAssembly.Memory object or a WebAssembly.Table object.

The original implementation only approximated the HasProperty() check.
It used Get() to get the value of the maximum property of the descriptor
object and compared the resulting value to {undefined}. However, this
approximation is incorrect if the property exists but its value is
{undefined}.

R=titzer@chromium.org, franzih@chromium.org
BUG=chromium:649461
TEST=mjsunit/wasm/memory

Review-Url: https://codereview.chromium.org/2367673003
Cr-Commit-Position: refs/heads/master@{#39722}
parent 248b7a08
......@@ -312,7 +312,7 @@ bool GetIntegerProperty(v8::Isolate* isolate, ErrorThrower* thrower,
int upper_bound) {
v8::MaybeLocal<v8::Value> maybe = object->Get(context, property);
v8::Local<v8::Value> value;
if (maybe.ToLocal(&value) && !value->IsUndefined()) {
if (maybe.ToLocal(&value)) {
int64_t number;
if (!value->IntegerValue(context).To(&number)) return false;
if (number < static_cast<int64_t>(lower_bound)) {
......@@ -321,19 +321,13 @@ bool GetIntegerProperty(v8::Isolate* isolate, ErrorThrower* thrower,
number, lower_bound);
return false;
}
if (number > static_cast<int64_t>(std::numeric_limits<int>::max())) {
thrower->RangeError("Property value %" PRId64 " is out of integer range",
number);
return false;
}
int num = static_cast<int>(number);
if (num > upper_bound) {
if (number > static_cast<int64_t>(upper_bound)) {
thrower->RangeError("Property value %" PRId64
" is above the upper bound %d",
number, upper_bound);
return false;
}
*result = num;
*result = static_cast<int>(number);
return true;
}
return false;
......@@ -375,16 +369,17 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
}
// The descriptor's 'maximum'.
int maximum;
bool has_maximum = true;
if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
v8_str(isolate, "maximum"), &maximum, initial,
max_table_size)) {
if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() ||
thrower.error()) {
Local<String> maximum_key = v8_str(isolate, "maximum");
Maybe<bool> has_maximum = descriptor->Has(context, maximum_key);
if (has_maximum.IsNothing()) {
// There has been an exception, just return.
return;
}
if (has_maximum.FromJust()) {
if (!GetIntegerProperty(isolate, &thrower, context, descriptor, maximum_key,
&maximum, initial, max_table_size)) {
return;
} else {
// There was no error, the property just does not exist.
has_maximum = false;
}
}
......@@ -399,7 +394,7 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
for (int i = 0; i < initial; ++i) fixed_array->set(i, null);
table_obj->SetInternalField(0, *fixed_array);
table_obj->SetInternalField(
1, has_maximum
1, has_maximum.FromJust()
? static_cast<i::Object*>(i::Smi::FromInt(maximum))
: static_cast<i::Object*>(i_isolate->heap()->undefined_value()));
i::Handle<i::Symbol> table_sym(i_isolate->native_context()->wasm_table_sym());
......@@ -420,20 +415,23 @@ void WebAssemblyMemory(const v8::FunctionCallbackInfo<v8::Value>& args) {
Local<v8::Object> descriptor = args[0]->ToObject(context).ToLocalChecked();
// The descriptor's 'initial'.
int initial;
GetIntegerProperty(isolate, &thrower, context, descriptor,
v8_str(isolate, "initial"), &initial, 0, 65536);
if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
v8_str(isolate, "initial"), &initial, 0, 65536)) {
return;
}
// The descriptor's 'maximum'.
int maximum;
bool has_maximum = true;
if (!GetIntegerProperty(isolate, &thrower, context, descriptor,
v8_str(isolate, "maximum"), &maximum, initial,
65536)) {
if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() ||
thrower.error()) {
Local<String> maximum_key = v8_str(isolate, "maximum");
Maybe<bool> has_maximum = descriptor->Has(context, maximum_key);
if (has_maximum.IsNothing()) {
// There has been an exception, just return.
return;
}
if (has_maximum.FromJust()) {
if (!GetIntegerProperty(isolate, &thrower, context, descriptor, maximum_key,
&maximum, initial, 65536)) {
return;
} else {
// There was no error, the property just does not exist.
has_maximum = false;
}
}
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
......@@ -448,7 +446,7 @@ void WebAssemblyMemory(const v8::FunctionCallbackInfo<v8::Value>& args) {
i::JSArrayBuffer::SetupAllocatingData(buffer, i_isolate, size);
memory_obj->SetInternalField(0, *buffer);
memory_obj->SetInternalField(
1, has_maximum
1, has_maximum.FromJust()
? static_cast<i::Object*>(i::Smi::FromInt(maximum))
: static_cast<i::Object*>(i_isolate->heap()->undefined_value()));
i::Handle<i::Symbol> memory_sym(
......
......@@ -8,6 +8,13 @@
var outOfUint32RangeValue = 1e12;
function assertMemoryIsValid(memory) {
assertSame(WebAssembly.Memory.prototype, memory.__proto__);
assertSame(WebAssembly.Memory, memory.constructor);
assertTrue(memory instanceof Object);
assertTrue(memory instanceof WebAssembly.Memory);
}
(function TestConstructor() {
assertTrue(WebAssembly.Memory instanceof Function);
assertSame(WebAssembly.Memory, WebAssembly.Memory.prototype.constructor);
......@@ -28,18 +35,53 @@ var outOfUint32RangeValue = 1e12;
assertThrows(() => new WebAssembly.Memory({initial: 10, maximum: 9}), RangeError);
let memory = new WebAssembly.Memory({initial: 1});
assertSame(WebAssembly.Memory.prototype, memory.__proto__);
assertSame(WebAssembly.Memory, memory.constructor);
assertTrue(memory instanceof Object);
assertTrue(memory instanceof WebAssembly.Memory);
assertMemoryIsValid(memory);
})();
(function TestConstructorWithMaximum() {
let memory = new WebAssembly.Memory({initial: 1, maximum: 10});
assertSame(WebAssembly.Memory.prototype, memory.__proto__);
assertSame(WebAssembly.Memory, memory.constructor);
assertTrue(memory instanceof Object);
assertTrue(memory instanceof WebAssembly.Memory);
assertMemoryIsValid(memory);
})();
(function TestInitialIsUndefined() {
// New memory with initial = undefined, which means initial = 0.
let memory = new WebAssembly.Memory({initial: undefined});
assertMemoryIsValid(memory);
})();
(function TestMaximumIsUndefined() {
// New memory with maximum = undefined, which means maximum = 0.
let memory = new WebAssembly.Memory({initial: 0, maximum: undefined});
assertMemoryIsValid(memory);
})();
(function TestMaximumIsReadOnce() {
var a = true;
var desc = {initial: 10};
Object.defineProperty(desc, 'maximum', {get: function() {
if (a) {
a = false;
return 16;
}
else {
// Change the return value on the second call so it throws.
return -1;
}
}});
let memory = new WebAssembly.Memory(desc);
assertMemoryIsValid(memory);
})();
(function TestMaximumDoesHasProperty() {
var hasPropertyWasCalled = false;
var desc = {initial: 10};
var proxy = new Proxy({maximum: 16}, {
has: function(target, name) { hasPropertyWasCalled = true; }
});
Object.setPrototypeOf(desc, proxy);
let memory = new WebAssembly.Memory(desc);
assertMemoryIsValid(memory);
assertTrue(hasPropertyWasCalled);
})();
(function TestBuffer() {
......
......@@ -9,6 +9,13 @@
var outOfUint32RangeValue = 1e12;
var int32ButOob = 1073741824;
function assertTableIsValid(table) {
assertSame(WebAssembly.Table.prototype, table.__proto__);
assertSame(WebAssembly.Table, table.constructor);
assertTrue(table instanceof Object);
assertTrue(table instanceof WebAssembly.Table);
}
(function TestConstructor() {
assertTrue(WebAssembly.Table instanceof Function);
assertSame(WebAssembly.Table, WebAssembly.Table.prototype.constructor);
......@@ -39,16 +46,50 @@ var int32ButOob = 1073741824;
assertThrows(() => new WebAssembly.Table({element: "anyfunc", initial: 0, maximum: int32ButOob}));
let table = new WebAssembly.Table({element: "anyfunc", initial: 1});
assertSame(WebAssembly.Table.prototype, table.__proto__);
assertSame(WebAssembly.Table, table.constructor);
assertTrue(table instanceof Object);
assertTrue(table instanceof WebAssembly.Table);
assertTableIsValid(table);
})();
(function TestConstructorWithMaximum() {
let table = new WebAssembly.Table({element: "anyfunc", initial: 1, maximum: 10});
assertSame(WebAssembly.Table.prototype, table.__proto__);
assertSame(WebAssembly.Table, table.constructor);
assertTrue(table instanceof Object);
assertTrue(table instanceof WebAssembly.Table);
let table = new WebAssembly.Table({element: "anyfunc", maximum: 10});
assertTableIsValid(table);
})();
(function TestInitialIsUndefined() {
// New memory with initial = undefined, which means initial = 0.
let table = new WebAssembly.Table({element: "anyfunc", initial: undefined});
assertTableIsValid(table);
})();
(function TestMaximumIsUndefined() {
// New memory with maximum = undefined, which means maximum = 0.
let table = new WebAssembly.Table({element: "anyfunc", initial: 0, maximum: undefined});
assertTableIsValid(table);
})();
(function TestMaximumIsReadOnce() {
var a = true;
var desc = {element: "anyfunc", initial: 10};
Object.defineProperty(desc, 'maximum', {get: function() {
if (a) {
a = false;
return 16;
}
else {
// Change the return value on the second call so it throws.
return -1;
}
}});
let table = new WebAssembly.Table(desc);
assertTableIsValid(table);
})();
(function TestMaximumDoesHasProperty() {
var hasPropertyWasCalled = false;
var desc = {element: "anyfunc", initial: 10};
var proxy = new Proxy({maximum: 16}, {
has: function(target, name) { hasPropertyWasCalled = true; }
});
Object.setPrototypeOf(desc, proxy);
let table = new WebAssembly.Table(desc);
assertTableIsValid(table);
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment