[asm] Reject import calls with too many parameters

The asm parser was missing a check for too many parameters for calls to imported functions. For regular functions this check implicitly existed because the limit was checked at the function declaration, and the call site needs to match the declared parameter count. R=mslekova@chromium.org Bug: chromium:1302596 Change-Id: I0d35e70a66d682ee8fdecf5c8ea4d2b1419ce684 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3509393Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#79415}

[asm] Reject import calls with too many parameters
The asm parser was missing a check for too many parameters for calls to imported functions. For regular functions this check implicitly existed because the limit was checked at the function declaration, and the call site needs to match the declared parameter count. R=mslekova@chromium.org Bug: chromium:1302596 Change-Id: I0d35e70a66d682ee8fdecf5c8ea4d2b1419ce684 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3509393Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#79415}
a664aef0 · Clemens Backes · V8 LUCI CQ · 51ea5508 · a664aef0 · a664aef0
Commit a664aef0 authored Mar 09, 2022 by Clemens Backes Committed by V8 LUCI CQ Mar 09, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 2 deletions

asm-parser.cc src/asmjs/asm-parser.cc +4 -1

asm-validation.js test/mjsunit/asm/asm-validation.js +27 -1

No files found.
--- a/src/asmjs/asm-parser.cc
+++ b/src/asmjs/asm-parser.cc
@@ -760,7 +760,7 @@ void AsmJsParser::ValidateFunction() {
  ValidateFunctionParams(&params);

  // Check against limit on number of parameters.
-  if (params.size() >= kV8MaxWasmFunctionParams) {
+  if (params.size() > kV8MaxWasmFunctionParams) {
    FAIL("Number of parameters exceeds internal limit");
  }

@@ -2246,6 +2246,9 @@ AsmType* AsmJsParser::ValidateCall() {
  // also determined the complete function type and can perform checking against
  // the expected type or update the expected type in case of first occurrence.
  if (function_info->kind == VarKind::kImportedFunction) {
+    if (param_types.size() > kV8MaxWasmFunctionParams) {
+      FAILn("Number of parameters exceeds internal limit");
+    }
    for (auto t : param_specific_types) {
      if (!t->IsA(AsmType::Extern())) {
        FAILn("Imported function args must be type extern");

--- a/test/mjsunit/asm/asm-validation.js
+++ b/test/mjsunit/asm/asm-validation.js
@@ -8,7 +8,7 @@
 // valid asm.js and then break them with invalid instantiation arguments. If
 // this script is run more than once (e.g. --stress-opt) then modules remain
 // broken in the second run and assertions would fail. We prevent re-runs.
-// Flags: --nostress-opt
+// Flags: --no-stress-opt

 function assertValidAsm(func) {
  assertTrue(%IsAsmWasmCode(func));
@@ -533,3 +533,29 @@ function assertValidAsm(func) {
      /Uint8Array is not a constructor/);
  assertFalse(%IsAsmWasmCode(regress1068355));
 })();
+
+(function TestTooManyParametersToImport() {
+  function MakeModule(num_arguments) {
+    let template = `
+      'use asm';
+      var imported = foreign.imported;
+      function main() {
+        imported(ARGS);
+      }
+
+      return main;
+      `;
+    let args = new Array(num_arguments).fill('0.0').join(', ');
+    return new Function('stdlib', 'foreign', template.replace('ARGS', args));
+  }
+
+  // V8 has an internal limit of 1000 parameters (see wasm-limits.h).
+  let Module1000Params = MakeModule(1000);
+  let Module1001Params = MakeModule(1001);
+
+  Module1000Params({}, {imported: i => i});
+  Module1001Params({}, {imported: i => i});
+
+  assertTrue(%IsAsmWasmCode(Module1000Params));
+  assertFalse(%IsAsmWasmCode(Module1001Params));
+})();