AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[wasm] [asm.js] Don't allow bad return types from a global constant

Browse Source 
We recently allowed global constants in asm.js validated code.
When used in a return statement, these need to be of an allowed type.

BUG=660813
R=jpp@chromium.org,aseemgarg@chromium.org

Review-Url: https://codereview.chromium.org/2481103002
Cr-Commit-Position: refs/heads/master@{#40850}
This commit is contained in:
bradnelson 2016-11-08 15:31:39 -08:00 committed by Commit bot
parent 8d661a339f
commit 3f2db58c89
4 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/asmjs/asm-typer.cc
View File

@ -2713,6 +2713,10 @@ AsmType* AsmTyper::ReturnTypeAnnotations(ReturnStatement* statement) {
FAIL(statement, "Identifier in return statement is not const."); FAIL(statement, "Identifier in return statement is not const.");
} }
if (!var_info->type()->IsReturnType()) {
FAIL(statement, "Constant in return must be signed, float, or double.");
}
return var_info->type(); return var_info->type();
} }

27
test/cctest/asmjs/test-asm-typer.cc
View File

@ -2026,4 +2026,31 @@ TEST(B640194) {
} }
} }
TEST(B660813) {
const char* kTests[] = {
"function asm() {\n"
" 'use asm';\n"
" const i = 0xffffffff;\n"
" function f() {\n"
" return i;\n"
" }\n"
"}",
"function asm() {\n"
" 'use asm';\n"
" const i = -(-2147483648);\n"
" function f() {\n"
" return i;\n"
" }\n"
"}",
};
for (size_t ii = 0; ii < arraysize(kTests); ++ii) {
if (!ValidationOf(Module(kTests[ii]))
->FailsWithMessage(
"Constant in return must be signed, float, or double.")) {
std::cerr << "Test:\n" << kTests[ii];
CHECK(false);
}
}
}
} // namespace } // namespace

12
test/mjsunit/asm/asm-validation.js
View File

@ -283,3 +283,15 @@ function assertValidAsm(func) {
assertValidAsm(Module); assertValidAsm(Module);
assertEquals(123, m.foo()); assertEquals(123, m.foo());
})(); })();
(function TestBadConstUnsignedReturn() {
function Module() {
"use asm";
const i = 0xffffffff;
function foo() { return i; }
return { foo: foo };
}
var m = Module();
assertTrue(%IsNotAsmWasmCode(Module));
assertEquals(0xffffffff, m.foo());
})();

12
test/mjsunit/asm/regress-660813.js Normal file
View File

@ -0,0 +1,12 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function Module() {
"use asm";
const i = 0xffffffff;
function foo() {
return i;
}
}
Module();