[wasm] Require wasm explicit asm instantiation to be of a function.

We were not checking that the string passed to instantiateFromAsm contains a function declaration (any declaration was allowed). Fixes crash. BUG=620649 BUG=v8:4203 R=aseemgarg@chromium.org Review-Url: https://codereview.chromium.org/2109533002 Cr-Commit-Position: refs/heads/master@{#37349}
2016-06-28 13:57:23 -07:00 · 2016-06-28 13:57:23 -07:00 · 58920e04bc
commit 58920e04bc
parent 0c7ee92783
3 changed files with 27 additions and 0 deletions
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@ -141,6 +141,11 @@ v8::internal::wasm::ZoneBuffer* TranslateAsmModule(
    return nullptr;
  }

+  if (!info->scope()->declarations()->at(0)->IsFunctionDeclaration()) {
+    thrower->Error("Asm.js validation failed: non-function declaration");
+    return nullptr;
+  }
+
  info->set_literal(
      info->scope()->declarations()->at(0)->AsFunctionDeclaration()->fun());

--- a/test/mjsunit/regress/regress-wasm-crbug-620649.js
+++ b/test/mjsunit/regress/regress-wasm-crbug-620649.js
@ -0,0 +1,10 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm
+
+__v_1 = "var outer = 0; function test() {'use strict'; outer = 1; } test();";
+assertThrows(function() {
+  Wasm.instantiateModuleFromAsm(__v_1);
+});
--- a/test/mjsunit/wasm/asm-wasm.js
+++ b/test/mjsunit/wasm/asm-wasm.js
@ -1530,3 +1530,15 @@ assertWasm(1, TestXor);
  assertEquals(0x80000000, wasm.u0x80000000());
  assertEquals(0x87654321, wasm.u0x87654321());
 })();
+
+(function TestBadNoDeclaration() {
+  assertThrows(function() {
+    Wasm.instantiateModuleFromAsm('33;');
+  });
+})();
+
+(function TestBadVarDeclaration() {
+  assertThrows(function() {
+    Wasm.instantiateModuleFromAsm('var x = 3;');
+  });
+})();