[wasm] Disallow calling wasm constructors without new.

BUG=chromium:786021 R=titzer@chromium.org Change-Id: I188ea4d639ef9d5ceeab5052e043ec1c9150bd77 Reviewed-on: https://chromium-review.googlesource.com/778282Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/heads/master@{#49506}

[wasm] Disallow calling wasm constructors without new.
BUG=chromium:786021 R=titzer@chromium.org Change-Id: I188ea4d639ef9d5ceeab5052e043ec1c9150bd77 Reviewed-on: https://chromium-review.googlesource.com/778282Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/heads/master@{#49506}
fa268032 · Brad Nelson · Commit Bot · d8981833 · fa268032 · fa268032
Commit fa268032 authored Nov 18, 2017 by Brad Nelson Committed by Commit Bot Nov 20, 2017
4 changed files
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -192,6 +192,10 @@ void WebAssemblyModule(const v8::FunctionCallbackInfo<v8::Value>& args) {
  HandleScope scope(isolate);
  i::wasm::ScheduledErrorThrower thrower(i_isolate, "WebAssembly.Module()");

+  if (!args.IsConstructCall()) {
+    thrower.TypeError("WebAssembly.Module must be invoked with 'new'");
+    return;
+  }
  if (!i::wasm::IsWasmCodegenAllowed(i_isolate, i_isolate->native_context())) {
    thrower.CompileError("Wasm code generation disallowed by embedder");
    return;
@@ -352,6 +356,10 @@ void WebAssemblyInstance(const v8::FunctionCallbackInfo<v8::Value>& args) {
  if (i_isolate->wasm_instance_callback()(args)) return;

  i::wasm::ScheduledErrorThrower thrower(i_isolate, "WebAssembly.Instance()");
+  if (!args.IsConstructCall()) {
+    thrower.TypeError("WebAssembly.Instance must be invoked with 'new'");
+    return;
+  }

  GetFirstArgumentAsModule(args, &thrower);
  if (thrower.error()) return;
@@ -483,6 +491,10 @@ void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {
  i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
  HandleScope scope(isolate);
  i::wasm::ScheduledErrorThrower thrower(i_isolate, "WebAssembly.Module()");
+  if (!args.IsConstructCall()) {
+    thrower.TypeError("WebAssembly.Table must be invoked with 'new'");
+    return;
+  }
  if (!args[0]->IsObject()) {
    thrower.TypeError("Argument 0 must be a table descriptor");
    return;
@@ -536,6 +548,10 @@ void WebAssemblyMemory(const v8::FunctionCallbackInfo<v8::Value>& args) {
  i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
  HandleScope scope(isolate);
  i::wasm::ScheduledErrorThrower thrower(i_isolate, "WebAssembly.Memory()");
+  if (!args.IsConstructCall()) {
+    thrower.TypeError("WebAssembly.Memory must be invoked with 'new'");
+    return;
+  }
  if (!args[0]->IsObject()) {
    thrower.TypeError("Argument 0 must be a memory descriptor");
    return;
@@ -623,8 +639,8 @@ void WebAssemblyInstanceGetExports(
  v8::Isolate* isolate = args.GetIsolate();
  i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
  HandleScope scope(isolate);
-    i::wasm::ScheduledErrorThrower thrower(i_isolate,
-                                           "WebAssembly.Instance.exports()");
+  i::wasm::ScheduledErrorThrower thrower(i_isolate,
+                                         "WebAssembly.Instance.exports()");
  EXTRACT_THIS(receiver, WasmInstanceObject);
  i::Handle<i::JSObject> exports_object(receiver->exports_object());
  args.GetReturnValue().Set(Utils::ToLocal(exports_object));

--- a/test/mjsunit/wasm/js-api.js
+++ b/test/mjsunit/wasm/js-api.js
@@ -907,3 +907,21 @@ assertInstantiateSuccess(
  class Y extends WebAssembly.Memory { }
  assertThrows(() => new Y());
 })();
+
+(function TestCallWithoutNew() {
+  var bytes = Uint8Array.of(0x0, 0x61, 0x73, 0x6d, 0x1, 0x00, 0x00, 0x00);
+  assertThrows(() => WebAssembly.Module(bytes), TypeError);
+  assertThrows(() => WebAssembly.Instance(new WebAssembly.Module(bytes)),
+               TypeError);
+  assertThrows(() => WebAssembly.Table({size: 10, element: 'anyfunc'}),
+               TypeError);
+  assertThrows(() => WebAssembly.Memory({size: 10}), TypeError);
+})();
+
+(function TestTinyModule() {
+  var bytes = Uint8Array.of(0x0, 0x61, 0x73, 0x6d, 0x1, 0x00, 0x00, 0x00);
+  var module = new WebAssembly.Module(bytes);
+  assertTrue(module instanceof Module);
+  var instance = new WebAssembly.Instance(module);
+  assertTrue(instance instanceof Instance);
+})();
--- a/test/mjsunit/wasm/table-grow.js
+++ b/test/mjsunit/wasm/table-grow.js
@@ -64,7 +64,7 @@ let id = (() => {  // identity exported function
  print("TableGrowBoundsCheck");
  let builder = new WasmModuleBuilder();
  addMain(builder);
-  let module = WebAssembly.Module(builder.toBuffer());
+  let module = new WebAssembly.Module(builder.toBuffer());
  let table = new WebAssembly.Table({element: "anyfunc",
                                     initial: 1, maximum:kMaxTableSize});
  function fillTable() {
@@ -95,7 +95,7 @@ let id = (() => {  // identity exported function
  print("TableGrowBoundsZeroInitial");
  let builder = new WasmModuleBuilder();
  addMain(builder);
-  let module = WebAssembly.Module(builder.toBuffer());
+  let module = new WebAssembly.Module(builder.toBuffer());
  var table = new WebAssembly.Table({element: "anyfunc",
                                     initial: 0, maximum:kMaxTableSize});
  function growTableByOne() {

--- a/test/mjsunit/wasm/test-wasm-module-builder.js
+++ b/test/mjsunit/wasm/test-wasm-module-builder.js
@@ -10,7 +10,7 @@ load('test/mjsunit/wasm/wasm-module-builder.js');
 var debug = true;

 function instantiate(buffer, ffi) {
-  return new WebAssembly.Instance(WebAssembly.Module(buffer), ffi);
+  return new WebAssembly.Instance(new WebAssembly.Module(buffer), ffi);
 }

 (function BasicTest() {