[wasm] Check size of table imports at instantiation time

Up until now. we only checked the size of tables defined in a module at instantiation time. For imported tables we only checked if the imported table matched the declared import in size. This causes a problem because we allocate function tables also for imported tabled before we actually look at the imported table. With this CL we first check the size of all tables, and only then start to initialize and load them. R=jkummerow@chromium.org Bug: chromium:1114006 Change-Id: Iaf194ed21fb83304fe3a7f0f7ba7b282396e3954 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339473 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#69291}

[wasm] Check size of table imports at instantiation time
Up until now. we only checked the size of tables defined in a module at instantiation time. For imported tables we only checked if the imported table matched the declared import in size. This causes a problem because we allocate function tables also for imported tabled before we actually look at the imported table. With this CL we first check the size of all tables, and only then start to initialize and load them. R=jkummerow@chromium.org Bug: chromium:1114006 Change-Id: Iaf194ed21fb83304fe3a7f0f7ba7b282396e3954 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2339473 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#69291}
8cf00222 · Andreas Haas · Commit Bot · 81fb2ebb · 8cf00222 · 8cf00222
Commit 8cf00222 authored Aug 07, 2020 by Andreas Haas Committed by Commit Bot Aug 07, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

module-instantiate.cc src/wasm/module-instantiate.cc +6 -2

regress-1114005.js test/mjsunit/regress/wasm/regress-1114005.js +1 -1

No files found.
--- a/src/wasm/module-instantiate.cc
+++ b/src/wasm/module-instantiate.cc
@@ -533,8 +533,7 @@ MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
  //--------------------------------------------------------------------------
  int table_count = static_cast<int>(module_->tables.size());
  {
-    Handle<FixedArray> tables = isolate_->factory()->NewFixedArray(table_count);
-    for (int i = module_->num_imported_tables; i < table_count; i++) {
+    for (int i = 0; i < table_count; i++) {
      const WasmTable& table = module_->tables[i];
      if (table.initial_size > FLAG_wasm_max_table_size) {
        thrower_->RangeError(
@@ -543,6 +542,11 @@ MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
            table.initial_size, FLAG_wasm_max_table_size);
        return {};
      }
+    }
+
+    Handle<FixedArray> tables = isolate_->factory()->NewFixedArray(table_count);
+    for (int i = module_->num_imported_tables; i < table_count; i++) {
+      const WasmTable& table = module_->tables[i];
      Handle<WasmTableObject> table_obj = WasmTableObject::New(
          isolate_, table.type, table.initial_size, table.has_maximum_size,
          table.maximum_size, nullptr);

--- a/test/mjsunit/regress/wasm/regress-1114005.js
+++ b/test/mjsunit/regress/wasm/regress-1114005.js
@@ -8,4 +8,4 @@ const builder = new WasmModuleBuilder();
 let table = new WebAssembly.Table({element: 'anyfunc', initial: 2});
 // Big size that causes an int32 overflow.
 builder.addImportedTable('m', 'table', 4000000000);
-assertThrows(() => builder.instantiate({m: {table: table}}), WebAssembly.LinkError);
+assertThrows(() => builder.instantiate({m: {table: table}}), RangeError);