[wasm] Implement location from stack trace for asm.js frames

This avoids the crash which ClusterFuzz found, but still does not report the same position as without validate.asm. For calls like "foo()|0", we report the position of the call instead of the position of the "|" if ToNumber throws an error. After this CL, the correctness-fuzzer for validate-asm will probably find mismatches there. R=titzer@chromium.org BUG=chromium:670808 Review-Url: https://codereview.chromium.org/2548323002 Cr-Commit-Position: refs/heads/master@{#41500}
2016-12-05 11:29:38 -08:00 · 2016-12-05 11:29:38 -08:00 · 6a8dccb197
commit 6a8dccb197
parent 3e46a3b754
3 changed files with 43 additions and 3 deletions
--- a/src/isolate.cc
+++ b/src/isolate.cc
@ -47,6 +47,7 @@
 #include "src/version.h"
 #include "src/vm-state-inl.h"
 #include "src/wasm/wasm-module.h"
+#include "src/wasm/wasm-objects.h"
 #include "src/zone/accounting-allocator.h"

 namespace v8 {
@ -1546,8 +1547,23 @@ bool Isolate::ComputeLocationFromStackTrace(MessageLocation* target,
  const int frame_count = elements->FrameCount();
  for (int i = 0; i < frame_count; i++) {
    if (elements->IsWasmFrame(i)) {
-      // TODO(clemensh): handle wasm frames
-      return false;
+      // TODO(clemensh): Handle wasm frames if they ever need handling here.
+      continue;
+    }
+
+    if (elements->IsAsmJsWasmFrame(i)) {
+      Handle<WasmCompiledModule> compiled_module(
+          WasmInstanceObject::cast(elements->WasmInstance(i))
+              ->get_compiled_module());
+      int func_index = elements->WasmFunctionIndex(i)->value();
+      int code_offset = elements->Offset(i)->value();
+      int byte_pos = elements->Code(i)->SourcePosition(code_offset);
+      int source_pos = WasmCompiledModule::GetAsmJsSourcePosition(
+          compiled_module, func_index, byte_pos);
+      Handle<Script> script = compiled_module->script();
+
+      *target = MessageLocation(script, source_pos, source_pos + 1);
+      return true;
    }

    Handle<JSFunction> fun = handle(elements->Function(i), this);
--- a/src/isolate.h
+++ b/src/isolate.h
@ -765,7 +765,9 @@ class Isolate {
  Object* PromoteScheduledException();

  // Attempts to compute the current source location, storing the
-  // result in the target out parameter.
+  // result in the target out parameter. The source location is attached to a
+  // Message object as the location which should be shown to the user. It's
+  // typically the top-most meaningful location on the stack.
  bool ComputeLocation(MessageLocation* target);
  bool ComputeLocationFromException(MessageLocation* target,
                                    Handle<Object> exception);
--- a/test/mjsunit/regress/regress-670808.js
+++ b/test/mjsunit/regress/regress-670808.js
@ -0,0 +1,22 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var sym = Symbol();
+function asm(stdlib, ffi) {
+  "use asm";
+  var get_sym = ffi.get_sym;
+  function crash() {
+    get_sym()|0;
+  }
+  return {crash: crash};
+}
+function get_sym() {
+  return sym;
+}
+try {
+  asm(null, {get_sym: get_sym}).crash();
+} catch (e) {
+  if (!(e instanceof TypeError))
+    throw e;
+}