[asm.js] Test and fix function (table) immutability.

This makes sure that function variables as well as function table variables are properly typed as immutable, hence assignments to them should cause validation failures. R=clemensh@chromium.org TEST=mjsunit/asm/immutable BUG=chromium:721271 Change-Id: Ia3f65fd0782ca571ffcf99520fdbd8fc5a359d16 Reviewed-on: https://chromium-review.googlesource.com/503209Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45256}

[asm.js] Test and fix function (table) immutability.
This makes sure that function variables as well as function table variables are properly typed as immutable, hence assignments to them should cause validation failures. R=clemensh@chromium.org TEST=mjsunit/asm/immutable BUG=chromium:721271 Change-Id: Ia3f65fd0782ca571ffcf99520fdbd8fc5a359d16 Reviewed-on: https://chromium-review.googlesource.com/503209Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45256}
b4948f1b · Michael Starzinger · Commit Bot · 26f2d5c2 · b4948f1b · b4948f1b
Commit b4948f1b authored May 11, 2017 by Michael Starzinger Committed by Commit Bot May 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 51 additions and 0 deletions

asm-parser.cc src/asmjs/asm-parser.cc +3 -0

immutable.js test/mjsunit/asm/immutable.js +48 -0

No files found.
--- a/src/asmjs/asm-parser.cc
+++ b/src/asmjs/asm-parser.cc
@@ -719,6 +719,7 @@ void AsmJsParser::ValidateFunction() {
    function_info->kind = VarKind::kFunction;
    function_info->function_builder = module_builder_->AddFunction();
    function_info->index = function_info->function_builder->func_index();
+    function_info->mutable_variable = false;
  } else if (function_info->kind != VarKind::kFunction) {
    FAIL("Function name collides with variable");
  } else if (function_info->function_defined) {
@@ -2047,6 +2048,7 @@ AsmType* AsmJsParser::ValidateCall() {
      function_info->mask = static_cast<int32_t>(mask);
      function_info->index = module_builder_->AllocateIndirectFunctions(
          static_cast<uint32_t>(mask + 1));
+      function_info->mutable_variable = false;
    } else {
      if (function_info->kind != VarKind::kTable) {
        FAILn("Expected call table");
@@ -2068,6 +2070,7 @@ AsmType* AsmJsParser::ValidateCall() {
      function_info->kind = VarKind::kFunction;
      function_info->function_builder = module_builder_->AddFunction();
      function_info->index = function_info->function_builder->func_index();
+      function_info->mutable_variable = false;
    } else {
      if (function_info->kind != VarKind::kFunction &&
          function_info->kind < VarKind::kImportedFunction) {

--- a/test/mjsunit/asm/immutable.js
+++ b/test/mjsunit/asm/immutable.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+(function FailImmutableFunction() {
+  function Module(stdlib, imports, heap) {
+    "use asm";
+    function f(a) {
+      a = a | 0;
+      if (a) {
+        a = f((a - 1) | 0) | 0;
+        f = 0;
+        return (a + 1) | 0;
+      }
+      return 23;
+    }
+    return { f:f };
+  }
+  var m = Module(this);
+  assertFalse(%IsAsmWasmCode(Module));
+  assertEquals(23, m.f(0));
+  assertEquals(24, m.f(1));
+  assertThrows(() => m.f(2));
+})();
+
+(function FailImmutableFunctionTable() {
+  function Module(stdlib, imports, heap) {
+    "use asm";
+    function f(a) {
+      a = a | 0;
+      if (a) {
+        a = funTable[a & 0]((a - 1) | 0) | 0;
+        funTable = 0;
+        return (a + 1) | 0;
+      }
+      return 23;
+    }
+    var funTable = [ f ];
+    return { f:f };
+  }
+  var m = Module(this);
+  assertFalse(%IsAsmWasmCode(Module));
+  assertEquals(23, m.f(0));
+  assertEquals(24, m.f(1));
+  assertThrows(() => m.f(2));
+})();