[wasm] [asm.js] Don't allow bad return types from a global constant

We recently allowed global constants in asm.js validated code. When used in a return statement, these need to be of an allowed type. BUG=660813 R=jpp@chromium.org,aseemgarg@chromium.org Review-Url: https://codereview.chromium.org/2481103002 Cr-Commit-Position: refs/heads/master@{#40850}
2016-11-08 15:31:39 -08:00 · 2016-11-08 15:31:39 -08:00 · 3f2db58c89
commit 3f2db58c89
parent 8d661a339f
4 changed files with 55 additions and 0 deletions
--- a/src/asmjs/asm-typer.cc
+++ b/src/asmjs/asm-typer.cc
@ -2713,6 +2713,10 @@ AsmType* AsmTyper::ReturnTypeAnnotations(ReturnStatement* statement) {
      FAIL(statement, "Identifier in return statement is not const.");
    }

+    if (!var_info->type()->IsReturnType()) {
+      FAIL(statement, "Constant in return must be signed, float, or double.");
+    }
+
    return var_info->type();
  }

--- a/test/cctest/asmjs/test-asm-typer.cc
+++ b/test/cctest/asmjs/test-asm-typer.cc
@ -2026,4 +2026,31 @@ TEST(B640194) {
  }
 }

+TEST(B660813) {
+  const char* kTests[] = {
+      "function asm() {\n"
+      "  'use asm';\n"
+      "  const i = 0xffffffff;\n"
+      "  function f() {\n"
+      "    return i;\n"
+      "  }\n"
+      "}",
+      "function asm() {\n"
+      "  'use asm';\n"
+      "  const i = -(-2147483648);\n"
+      "  function f() {\n"
+      "    return i;\n"
+      "  }\n"
+      "}",
+  };
+  for (size_t ii = 0; ii < arraysize(kTests); ++ii) {
+    if (!ValidationOf(Module(kTests[ii]))
+             ->FailsWithMessage(
+                 "Constant in return must be signed, float, or double.")) {
+      std::cerr << "Test:\n" << kTests[ii];
+      CHECK(false);
+    }
+  }
+}
+
 }  // namespace
--- a/test/mjsunit/asm/asm-validation.js
+++ b/test/mjsunit/asm/asm-validation.js
@ -283,3 +283,15 @@ function assertValidAsm(func) {
  assertValidAsm(Module);
  assertEquals(123, m.foo());
 })();
+
+(function TestBadConstUnsignedReturn() {
+  function Module() {
+    "use asm";
+    const i = 0xffffffff;
+    function foo() { return i; }
+    return { foo: foo };
+  }
+  var m = Module();
+  assertTrue(%IsNotAsmWasmCode(Module));
+  assertEquals(0xffffffff, m.foo());
+})();
--- a/test/mjsunit/asm/regress-660813.js
+++ b/test/mjsunit/asm/regress-660813.js
@ -0,0 +1,12 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function Module() {
+  "use asm";
+  const i = 0xffffffff;
+  function foo() {
+    return i;
+  }
+}
+Module();