[asm] Disallow duplicate parameter names

According to the spec, the three parameters (stdlib, foreign, and heap)
must be mutually distinct. We did not check this yet, which led to
observable differences between asm validation and standard JavaScript
semantics.

R=thibaudm@chromium.org

Bug: chromium:1068355
Change-Id: I451f63d10ea50474aeb6e8a547918b5af769343b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3244408
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77554}
This commit is contained in:
Clemens Backes 2021-10-26 16:13:49 +02:00 committed by V8 LUCI CQ
parent bf327cb487
commit 4ea3051629
2 changed files with 42 additions and 0 deletions

View File

@ -398,12 +398,18 @@ void AsmJsParser::ValidateModuleParameters() {
FAIL("Expected foreign parameter"); FAIL("Expected foreign parameter");
} }
foreign_name_ = Consume(); foreign_name_ = Consume();
if (stdlib_name_ == foreign_name_) {
FAIL("Duplicate parameter name");
}
if (!Peek(')')) { if (!Peek(')')) {
EXPECT_TOKEN(','); EXPECT_TOKEN(',');
if (!scanner_.IsGlobal()) { if (!scanner_.IsGlobal()) {
FAIL("Expected heap parameter"); FAIL("Expected heap parameter");
} }
heap_name_ = Consume(); heap_name_ = Consume();
if (heap_name_ == stdlib_name_ || heap_name_ == foreign_name_) {
FAIL("Duplicate parameter name");
}
} }
} }
} }

View File

@ -497,3 +497,39 @@ function assertValidAsm(func) {
var props = Object.getOwnPropertyNames(m); var props = Object.getOwnPropertyNames(m);
assertEquals(["a","b","x","c","d"], props); assertEquals(["a","b","x","c","d"], props);
})(); })();
(function TestDuplicateParameterName() {
function module1(x, x, heap) {
'use asm';
return {};
}
module1({}, {}, new ArrayBuffer(4096));
assertFalse(%IsAsmWasmCode(module1));
function module2(x, ffi, x) {
'use asm';
return {};
}
module2({}, {}, new ArrayBuffer(4096));
assertFalse(%IsAsmWasmCode(module2));
function module3(stdlib, x, x) {
'use asm';
return {};
}
module3({}, {}, new ArrayBuffer(4096));
assertFalse(%IsAsmWasmCode(module3));
// Regression test for https://crbug.com/1068355.
function regress1068355(ffi, ffi, heap) {
'use asm';
var result = new ffi.Uint8Array(heap);
function bar() {}
return {f: bar};
}
let heap = new ArrayBuffer(4096);
assertThrows(
() => regress1068355({Uint8Array: Uint8Array}, {}, heap), TypeError,
/Uint8Array is not a constructor/);
assertFalse(%IsAsmWasmCode(regress1068355));
})();