[wasm] Freeze mutability of tables

Bug: v8:7232 Change-Id: I1eed337749686ec749b970b4af56413c5614b980 Reviewed-on: https://chromium-review.googlesource.com/837646 Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/heads/master@{#50253}

[wasm] Freeze mutability of tables
Bug: v8:7232 Change-Id: I1eed337749686ec749b970b4af56413c5614b980 Reviewed-on: https://chromium-review.googlesource.com/837646 Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Reviewed-by: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/heads/master@{#50253}
c8fe2635 · Mircea Trofin · Commit Bot · a8a11419 · c8fe2635 · c8fe2635
Commit c8fe2635 authored Dec 20, 2017 by Mircea Trofin Committed by Commit Bot Dec 21, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 1 deletion

wasm-js.cc src/wasm/wasm-js.cc +14 -1

indirect-tables.js test/mjsunit/wasm/indirect-tables.js +38 -0

No files found.
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -751,7 +751,20 @@ void WebAssemblyTableSet(const v8::FunctionCallbackInfo<v8::Value>& args) {
    return;
  }

-  i::WasmTableObject::Set(i_isolate, receiver, static_cast<int32_t>(index),
+  // TODO(v8:7232) Allow reset/mutation after addressing referenced issue.
+  int32_t int_index = static_cast<int32_t>(index);
+  if (receiver->functions()->get(int_index) !=
+          i_isolate->heap()->undefined_value() &&
+      receiver->functions()->get(int_index) !=
+          i_isolate->heap()->null_value()) {
+    for (i::StackFrameIterator it(i_isolate); !it.done(); it.Advance()) {
+      if (it.frame()->type() == i::StackFrame::WASM_TO_JS) {
+        thrower.RangeError("Modifying existing entry in table not supported.");
+        return;
+      }
+    }
+  }
+  i::WasmTableObject::Set(i_isolate, receiver, static_cast<int32_t>(int_index),
                          value->IsNull(i_isolate)
                              ? i::Handle<i::JSFunction>::null()
                              : i::Handle<i::JSFunction>::cast(value));

--- a/test/mjsunit/wasm/indirect-tables.js
+++ b/test/mjsunit/wasm/indirect-tables.js
@@ -705,3 +705,41 @@ function js_div(a, b) { return (a / b) | 0; }
  test(0, 7);
  test(1, 3);
 })();
+
+
+// Remove this test when v8:7232 is addressed comprehensively.
+(function TablesAreImmutableInWasmCallstacks() {
+  print('TablesAreImmutableInWasmCallstacks...');
+  let table = new WebAssembly.Table({initial:2, element:'anyfunc'});
+
+  let builder = new WasmModuleBuilder();
+  builder.addImport('', 'mutator', kSig_v_v);
+  builder.addFunction('main', kSig_v_v)
+    .addBody([
+      kExprCallFunction, 0
+    ]).exportAs('main');
+
+  let module = new WebAssembly.Module(builder.toBuffer());
+  let instance = new WebAssembly.Instance(module, {
+    '': {
+      'mutator': () => {table.set(0, null);}
+    }
+  });
+
+  table.set(0, instance.exports.main);
+
+  try {
+    instance.exports.main();
+    assertUnreached();
+  } catch (e) {
+    assertTrue(e instanceof RangeError);
+  }
+  try {
+    instance.exports.main();
+    assertUnreached();
+  } catch (e) {
+    assertTrue(e instanceof RangeError);
+  }
+  table.set(0, null);
+  assertEquals(null, table.get(0));
+})();