[wasm] [interpreter] Fix cross-instance indirect calls

The existing access to the signatures is plain wrong. This CL fixes this. Note that cross-instance indirect calls are only enabled since a few days (https://crrev.com/c/778159), which is why this bug was not detected before. R=titzer@chromium.org Bug: chromium:787910 Change-Id: Iaac4d1d85840c921eb8554c5094933ec8d987802 Reviewed-on: https://chromium-review.googlesource.com/787312 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#49607}
2017-11-23 12:39:31 +01:00 · 2017-11-23 12:39:31 +01:00 · 0bc1b967f2
commit 0bc1b967f2
parent 6e689c9162
2 changed files with 27 additions and 2 deletions
--- a/src/wasm/wasm-interpreter.cc
+++ b/src/wasm/wasm-interpreter.cc
@ -2505,8 +2505,7 @@ class ThreadImpl {
    // Call the code object. Use a new HandleScope to avoid leaking /
    // accumulating handles in the outer scope.
    HandleScope handle_scope(isolate);
-    FunctionSig* signature =
-        &codemap()->module()->signatures[table_index][sig_index];
+    FunctionSig* signature = module()->signatures[sig_index];
    return CallCodeObject(isolate, handle(target, isolate), signature);
  }

--- a/test/mjsunit/wasm/interpreter.js
+++ b/test/mjsunit/wasm/interpreter.js
@ -467,3 +467,29 @@ function checkStack(stack, expected_lines) {
  table.set(0, instance1.exports.func);
  instance2.exports.call_func();
 })();
+
+(function testTableCall2() {
+  // See crbug.com/787910.
+  print(arguments.callee.name);
+  const builder1 = new WasmModuleBuilder();
+  builder1.addFunction('exp', kSig_i_i)
+      .addBody([kExprI32Const, 0])
+      .exportFunc();
+  const instance1 = builder1.instantiate();
+  const builder2 = new WasmModuleBuilder();
+  const sig1 = builder2.addType(kSig_i_v);
+  const sig2 = builder2.addType(kSig_i_i);
+  builder2.addFunction('call2', kSig_i_v)
+      .addBody([
+        kExprI32Const, 0, kExprI32Const, 0, kExprCallIndirect, sig2, kTableZero
+      ])
+      .exportAs('call2');
+  builder2.addImportedTable('imp', 'table');
+  const tab = new WebAssembly.Table({
+    element: 'anyfunc',
+    initial: 3,
+  });
+  const instance2 = builder2.instantiate({imp: {table: tab}});
+  tab.set(0, instance1.exports.exp);
+  instance2.exports.call2();
+})();