Commit b8474e70 authored by Michael Starzinger's avatar Michael Starzinger Committed by Commit Bot

[asm.js] Check that function table indices are intish.

R=titzer@chromium.org
TEST=mjsunit/regress/regress-crbug-969368
BUG=chromium:969368

Change-Id: If8cdd3a170c3c0e487daa2c2dd9e347fb8eabafd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662571Reviewed-by: 's avatarBen Titzer <titzer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62226}
parent 595813c6
...@@ -2108,7 +2108,11 @@ AsmType* AsmJsParser::ValidateCall() { ...@@ -2108,7 +2108,11 @@ AsmType* AsmJsParser::ValidateCall() {
// need to match the information stored at this point. // need to match the information stored at this point.
base::Optional<TemporaryVariableScope> tmp; base::Optional<TemporaryVariableScope> tmp;
if (Check('[')) { if (Check('[')) {
RECURSEn(EqualityExpression()); AsmType* index = nullptr;
RECURSEn(index = EqualityExpression());
if (!index->IsA(AsmType::Intish())) {
FAILn("Expected intish index");
}
EXPECT_TOKENn('&'); EXPECT_TOKENn('&');
uint32_t mask = 0; uint32_t mask = 0;
if (!CheckForUnsigned(&mask)) { if (!CheckForUnsigned(&mask)) {
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function Module() {
'use asm';
function f() {}
function g() {
var x = 0.0;
table[x & 3]();
}
var table = [f, f, f, f];
return { g: g };
}
var m = Module();
assertDoesNotThrow(m.g);
assertFalse(%IsAsmWasmCode(Module));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment