[wasm] Ensure free-standing tables are rooted.

Bug: chromium:796584 Change-Id: Ib6a62d616d36344f35cad0b0a177f8f07c7fd2ac Reviewed-on: https://chromium-review.googlesource.com/836849Reviewed-by: Brad Nelson <bradnelson@chromium.org> Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#50244}

[wasm] Ensure free-standing tables are rooted.
Bug: chromium:796584 Change-Id: Ib6a62d616d36344f35cad0b0a177f8f07c7fd2ac Reviewed-on: https://chromium-review.googlesource.com/836849Reviewed-by: Brad Nelson <bradnelson@chromium.org> Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Cr-Commit-Position: refs/heads/master@{#50244}
f9c9616e · Mircea Trofin · Commit Bot · 34659c17 · f9c9616e · f9c9616e
Commit f9c9616e authored Dec 20, 2017 by Mircea Trofin Committed by Commit Bot Dec 20, 2017
Showing with 71 additions and 1 deletion

module-compiler.cc src/wasm/module-compiler.cc +1 -0

wasm-objects-inl.h src/wasm/wasm-objects-inl.h +2 -0

wasm-objects.h src/wasm/wasm-objects.h +3 -0

indirect-tables.js test/mjsunit/wasm/indirect-tables.js +65 -1

No files found.
--- a/src/wasm/module-compiler.cc
+++ b/src/wasm/module-compiler.cc
@@ -2925,6 +2925,7 @@ int InstanceBuilder::ProcessImports(Handle<FixedArray> code_table,
            module_->function_tables[num_imported_tables];
        TableInstance& table_instance = table_instances_[num_imported_tables];
        table_instance.table_object = Handle<WasmTableObject>::cast(value);
+        instance->set_table_object(*table_instance.table_object);
        table_instance.js_wrappers = Handle<FixedArray>(
            table_instance.table_object->functions(), isolate_);


--- a/src/wasm/wasm-objects-inl.h
+++ b/src/wasm/wasm-objects-inl.h
@@ -52,6 +52,8 @@ ACCESSORS(WasmInstanceObject, globals_buffer, JSArrayBuffer,
          kGlobalsBufferOffset)
 OPTIONAL_ACCESSORS(WasmInstanceObject, debug_info, WasmDebugInfo,
                   kDebugInfoOffset)
+OPTIONAL_ACCESSORS(WasmInstanceObject, table_object, WasmTableObject,
+                   kTableObjectOffset)
 OPTIONAL_ACCESSORS(WasmInstanceObject, function_tables, FixedArray,
                   kFunctionTablesOffset)
 OPTIONAL_ACCESSORS(WasmInstanceObject, signature_tables, FixedArray,

--- a/src/wasm/wasm-objects.h
+++ b/src/wasm/wasm-objects.h
@@ -190,6 +190,7 @@ class WasmInstanceObject : public JSObject {
  DECL_OPTIONAL_ACCESSORS(memory_object, WasmMemoryObject)
  DECL_OPTIONAL_ACCESSORS(globals_buffer, JSArrayBuffer)
  DECL_OPTIONAL_ACCESSORS(debug_info, WasmDebugInfo)
+  DECL_OPTIONAL_ACCESSORS(table_object, WasmTableObject)
  DECL_OPTIONAL_ACCESSORS(function_tables, FixedArray)
  DECL_OPTIONAL_ACCESSORS(signature_tables, FixedArray)

@@ -204,6 +205,7 @@ class WasmInstanceObject : public JSObject {
    kMemoryObjectIndex,
    kGlobalsBufferIndex,
    kDebugInfoIndex,
+    kTableObjectIndex,
    kFunctionTablesIndex,
    kSignatureTablesIndex,
    kDirectlyCalledInstancesIndex,
@@ -218,6 +220,7 @@ class WasmInstanceObject : public JSObject {
  DEF_OFFSET(MemoryObject)
  DEF_OFFSET(GlobalsBuffer)
  DEF_OFFSET(DebugInfo)
+  DEF_OFFSET(TableObject)
  DEF_OFFSET(FunctionTables)
  DEF_OFFSET(SignatureTables)
  DEF_OFFSET(DirectlyCalledInstances)

--- a/test/mjsunit/wasm/indirect-tables.js
+++ b/test/mjsunit/wasm/indirect-tables.js
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-// Flags: --expose-wasm
+// Flags: --expose-wasm --expose-gc

 load("test/mjsunit/wasm/wasm-constants.js");
 load("test/mjsunit/wasm/wasm-module-builder.js");
@@ -641,3 +641,67 @@ function js_div(a, b) { return (a / b) | 0; }

  assertEquals(instance1.exports.main(0), 1000);
 })();
+
+
+(function ImportedFreestandingTable() {
+  print("ImportedFreestandingTable...");
+
+  function forceGc() {
+    gc();
+    gc();
+    gc();
+  }
+
+  function setup() {
+    let builder = new WasmModuleBuilder();
+    let sig = builder.addType(kSig_i_v);
+    builder.addFunction('main', kSig_i_i)
+      .addBody([kExprGetLocal, 0, kExprCallIndirect, sig, kTableZero])
+      .exportAs('main');
+
+    builder.addImportedTable('', 'table');
+
+    let module1 = new WebAssembly.Module(builder.toBuffer());
+    let table = new WebAssembly.Table({initial:2, element:'anyfunc'});
+    let instance1 = new WebAssembly.Instance(module1, {'':{table: table}});
+
+    builder = new WasmModuleBuilder();
+    builder.addExport('theImport', builder.addImport('', 'callout', kSig_i_v));
+    builder.addImportedMemory('', 'memory', 1);
+    builder.addFunction('main', kSig_i_v)
+      .addBody([
+        kExprCallFunction, 0,
+        kExprI32Const, 0, kExprI32LoadMem, 0, 0,
+        kExprI32Add
+      ]).exportAs('main');
+
+    let mem = new WebAssembly.Memory({initial:1});
+    let view = new Int32Array(mem.buffer);
+    view[0] = 4;
+
+    let module2 = new WebAssembly.Module(builder.toBuffer());
+    let instance2 = new WebAssembly.Instance(module2, {
+      '': {
+        callout: () => {
+          forceGc();
+          return 3;
+        },
+        'memory': mem
+      }
+    });
+    table.set(0, instance2.exports.main);
+    table.set(1, instance2.exports.theImport);
+    return instance1;
+  }
+
+  function test(variant, expectation) {
+    var instance = setup();
+    forceGc();
+    assertEquals(expectation, instance.exports.main(variant));
+  }
+
+  // 0 indirectly calls the wasm function that calls the import,
+  // 1 does the same but for the exported import.
+  test(0, 7);
+  test(1, 3);
+})();