[wasm][bigint] Allow only bigints as i64-global imports

The fuzzer found a crash when we want to execute the {valueOf} function of an imported value for an i64-global. The problem is that we cannot execute JavaScript at that moment (I did not check why, I guess we open some scope at some point). I checked the WebAssembly spec now, and it defines that only numbers are valid values for imported globals. I adjust our bigint implementation accordingly with this CL, i.e. that only bigint values are valid as imported i64-globalsl. I also created github issues to discuss this problem. R=jkummerow@chromium.org Bug: chromium:1001804 Change-Id: I47f0b31fab53163346f341ad290fd3c58e7707bf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792167 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#63621}

[wasm][bigint] Allow only bigints as i64-global imports
The fuzzer found a crash when we want to execute the {valueOf} function of an imported value for an i64-global. The problem is that we cannot execute JavaScript at that moment (I did not check why, I guess we open some scope at some point). I checked the WebAssembly spec now, and it defines that only numbers are valid values for imported globals. I adjust our bigint implementation accordingly with this CL, i.e. that only bigint values are valid as imported i64-globalsl. I also created github issues to discuss this problem. R=jkummerow@chromium.org Bug: chromium:1001804 Change-Id: I47f0b31fab53163346f341ad290fd3c58e7707bf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1792167 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#63621}
f87505ca · Andreas Haas · Commit Bot · 6165355e · f87505ca · f87505ca
Commit f87505ca authored Sep 09, 2019 by Andreas Haas Committed by Commit Bot Sep 09, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 14 deletions

module-instantiate.cc src/wasm/module-instantiate.cc +2 -7

bigint.js test/mjsunit/wasm/bigint.js +7 -7

No files found.
--- a/src/wasm/module-instantiate.cc
+++ b/src/wasm/module-instantiate.cc
@@ -1185,13 +1185,8 @@ bool InstanceBuilder::ProcessImportedGlobal(Handle<WasmInstanceObject> instance,
    return true;
  }
-  if (enabled_.bigint && global.type == kWasmI64) {
+  if (enabled_.bigint && global.type == kWasmI64 && value->IsBigInt()) {
-    Handle<BigInt> bigint;
+    WriteGlobalValue(global, BigInt::cast(*value).AsInt64());
-    if (!BigInt::FromObject(isolate_, value).ToHandle(&bigint)) {
-      return false;
-    }
-    WriteGlobalValue(global, bigint->AsInt64());
    return true;
  }

--- a/test/mjsunit/wasm/bigint.js
+++ b/test/mjsunit/wasm/bigint.js
@@ -26,30 +26,30 @@ load("test/mjsunit/wasm/wasm-module-builder.js");
  let builder = new WasmModuleBuilder();
  let a_global_index = builder
-    .addImportedGlobal("mod", "a", kWasmI64)
+    .addImportedGlobal("mod", "a", kWasmI64);
  let b_global_index = builder
    .addImportedGlobal("mod", "b", kWasmI64);
-  let c_global_index = builder
-    .addImportedGlobal("mod", "c", kWasmI64);
  builder
    .addExportOfKind('a', kExternalGlobal, a_global_index)
    .addExportOfKind('b', kExternalGlobal, b_global_index)
-    .addExportOfKind('c', kExternalGlobal, c_global_index);
  let module = builder.instantiate({
    mod: {
      a: 1n,
      b: 2n ** 63n,
-      c: "123",
    }
  });
  assertEquals(module.exports.a.value, 1n);
  assertEquals(module.exports.b.value, - (2n ** 63n));
-  assertEquals(module.exports.c.value, 123n);
+})();
+(function TestJSBigIntGlobalImportInvalidType() {
+  let builder = new WasmModuleBuilder();
+  builder.addImportedGlobal("mod", "a", kWasmI64);
+  assertThrows(() => builder.instantiate({mod: { a: {} } }), WebAssembly.LinkError);
 })();
 (function TestJSBigIntToWasmI64MutableGlobal() {