[wasm] Fix for cloning module heap size value

The module size is encoded as a HeapNumber, and needs to be explicitly cloned. BUG=chromium:647649 Review-Url: https://codereview.chromium.org/2347333002 Cr-Commit-Position: refs/heads/master@{#39845}

[wasm] Fix for cloning module heap size value
The module size is encoded as a HeapNumber, and needs to be explicitly cloned. BUG=chromium:647649 Review-Url: https://codereview.chromium.org/2347333002 Cr-Commit-Position: refs/heads/master@{#39845}
df490c34 · mtrofin · Commit bot · 28fe488f · df490c34 · df490c34
Commit df490c34 authored Sep 29, 2016 by mtrofin Committed by Commit bot Sep 29, 2016
Show whitespace changes
Inline Side-by-side

Showing with 49 additions and 0 deletions

wasm-module.cc src/wasm/wasm-module.cc +6 -0

regression-647649.js test/mjsunit/regress/wasm/regression-647649.js +43 -0

No files found.
--- a/src/wasm/wasm-module.cc
+++ b/src/wasm/wasm-module.cc
@@ -1297,6 +1297,12 @@ MaybeHandle<JSObject> WasmModule::Instantiate(Isolate* isolate,
            UNREACHABLE();
        }
      }
+      Handle<HeapNumber> size_as_object = factory->NewHeapNumber(
+          static_cast<double>(
+              compiled_module->GetValueChecked<HeapNumber>(isolate, kMemSize)
+                  ->value()),
+          MUTABLE, TENURED);
+      compiled_module->set(kMemSize, *size_as_object);
      RecordStats(isolate, code_table);
    } else {
      // There was no owner, so we can reuse the original.

--- a/test/mjsunit/regress/wasm/regression-647649.js
+++ b/test/mjsunit/regress/wasm/regression-647649.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --nostress-opt --expose-gc --invoke-weak-callbacks --validate-asm
+// Flags: --noalways-opt --invoke-weak-callbacks
+// This test was generated by the fuzzer.
+function getRandomProperty(v, rand) {
+  var properties = Object.getOwnPropertyNames(v);
+  var proto = Object.getPrototypeOf(v);
+  if (proto) {; }
+  if ("constructor" && v.constructor.hasOwnProperty()) {; }
+  if (properties.length == 0) { return "0"; }
+  return properties[rand % properties.length];
+}
+var __v_11 = {};
+function __f_1(stdlib, foreign, buffer) {
+  "use asm";
+  var __v_3 = new stdlib.Float64Array(buffer);
+  function __f_0() {
+    var __v_1 = 6.0;
+    __v_3[2] = __v_1 + 1.0;
+  }
+  return {__f_0: __f_0};
+}
+try {
+  var __v_0 = new ArrayBuffer(207222809);
+  var module = __f_1(this, null, __v_0);
+( {
+})();
+} catch(e) {; }
+__v_13 = '@3'
+Array.prototype.__proto__ = {3: __v_13};
+Array.prototype.__proto__.__proto__ = {7: __v_11};
+__v_9 = [0, 1, , , 4, 5, , , , 9]
+__v_12 = __v_9.splice(4, 1)
+__v_9.__defineGetter__(getRandomProperty(__v_9, 1689439720), function() {; return __f_1(); });
+ __v_9[8]
+gc();