From 58920e04bce8435be4c98e36b3c10592ef1b206d Mon Sep 17 00:00:00 2001 From: bradnelson Date: Tue, 28 Jun 2016 13:57:23 -0700 Subject: [PATCH] [wasm] Require wasm explicit asm instantiation to be of a function. We were not checking that the string passed to instantiateFromAsm contains a function declaration (any declaration was allowed). Fixes crash. BUG=620649 BUG=v8:4203 R=aseemgarg@chromium.org Review-Url: https://codereview.chromium.org/2109533002 Cr-Commit-Position: refs/heads/master@{#37349} --- src/wasm/wasm-js.cc | 5 +++++ test/mjsunit/regress/regress-wasm-crbug-620649.js | 10 ++++++++++ test/mjsunit/wasm/asm-wasm.js | 12 ++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 test/mjsunit/regress/regress-wasm-crbug-620649.js diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc index fa9edf4d49..2189cde8f1 100644 --- a/src/wasm/wasm-js.cc +++ b/src/wasm/wasm-js.cc @@ -141,6 +141,11 @@ v8::internal::wasm::ZoneBuffer* TranslateAsmModule( return nullptr; } + if (!info->scope()->declarations()->at(0)->IsFunctionDeclaration()) { + thrower->Error("Asm.js validation failed: non-function declaration"); + return nullptr; + } + info->set_literal( info->scope()->declarations()->at(0)->AsFunctionDeclaration()->fun()); diff --git a/test/mjsunit/regress/regress-wasm-crbug-620649.js b/test/mjsunit/regress/regress-wasm-crbug-620649.js new file mode 100644 index 0000000000..f9355d8887 --- /dev/null +++ b/test/mjsunit/regress/regress-wasm-crbug-620649.js @@ -0,0 +1,10 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --expose-wasm + +__v_1 = "var outer = 0; function test() {'use strict'; outer = 1; } test();"; +assertThrows(function() { + Wasm.instantiateModuleFromAsm(__v_1); +}); diff --git a/test/mjsunit/wasm/asm-wasm.js b/test/mjsunit/wasm/asm-wasm.js index 4c28b619c3..4391e039eb 100644 --- a/test/mjsunit/wasm/asm-wasm.js +++ b/test/mjsunit/wasm/asm-wasm.js @@ -1530,3 +1530,15 @@ assertWasm(1, TestXor); assertEquals(0x80000000, wasm.u0x80000000()); assertEquals(0x87654321, wasm.u0x87654321()); })(); + +(function TestBadNoDeclaration() { + assertThrows(function() { + Wasm.instantiateModuleFromAsm('33;'); + }); +})(); + +(function TestBadVarDeclaration() { + assertThrows(function() { + Wasm.instantiateModuleFromAsm('var x = 3;'); + }); +})();