[wasm-gc] Fix type checking of null/undefined

The LookupIterator only handles JSReceivers, so special-case oddballs. Change-Id: I03d2875124775390c9b928fb7cfe4d938213b5d0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3645409 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#80548}
2022-05-14 19:36:01 +02:00 · 2022-05-14 19:36:01 +02:00 · 48a4195370
commit 48a4195370
parent ba07060a72
2 changed files with 31 additions and 5 deletions
--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@ -2250,6 +2250,18 @@ Handle<AsmWasmData> AsmWasmData::New(

 namespace wasm {

+bool TryUnpackObjectWrapper(Isolate* isolate, Handle<Object>& in_out_value) {
+  if (in_out_value->IsUndefined(isolate)) return false;
+  if (in_out_value->IsNull(isolate)) return true;
+  if (!in_out_value->IsJSObject()) return false;
+  Handle<Name> key = isolate->factory()->wasm_wrapped_object_symbol();
+  LookupIterator it(isolate, in_out_value, key,
+                    LookupIterator::OWN_SKIP_INTERCEPTOR);
+  if (it.state() != LookupIterator::DATA) return false;
+  in_out_value = it.GetDataValue();
+  return true;
+}
+
 bool TypecheckJSObject(Isolate* isolate, const WasmModule* module,
                       Handle<Object> value, ValueType expected,
                       const char** error_message) {
@ -2280,16 +2292,12 @@ bool TypecheckJSObject(Isolate* isolate, const WasmModule* module,
          // TODO(7748): Change this when we have a decision on the JS API for
          // structs/arrays.
          if (!FLAG_wasm_gc_js_interop) {
-            Handle<Name> key = isolate->factory()->wasm_wrapped_object_symbol();
-            LookupIterator it(isolate, value, key,
-                              LookupIterator::OWN_SKIP_INTERCEPTOR);
-            if (it.state() != LookupIterator::DATA) {
+            if (!TryUnpackObjectWrapper(isolate, value)) {
              *error_message =
                  "eqref/dataref/i31ref object must be null (if nullable) or "
                  "wrapped with the wasm object wrapper";
              return false;
            }
-            value = it.GetDataValue();
          }

          if (repr == HeapType::kI31) {
--- a/test/mjsunit/regress/wasm/typecheck-null-undefined.js
+++ b/test/mjsunit/regress/wasm/typecheck-null-undefined.js
@ -0,0 +1,18 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-gc
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+var builder = new WasmModuleBuilder();
+
+var sig_index = builder.addType({params: [kWasmDataRef], results: []});
+
+builder.addFunction('main', sig_index).addBody([]).exportFunc();
+
+var instance = builder.instantiate();
+
+assertThrows(() => instance.exports.main(undefined), TypeError);
+assertThrows(() => instance.exports.main(null), TypeError);