[asm] Reject import calls with too many parameters

The asm parser was missing a check for too many parameters for calls to imported functions. For regular functions this check implicitly existed because the limit was checked at the function declaration, and the call site needs to match the declared parameter count. R=mslekova@chromium.org Bug: chromium:1302596 Change-Id: I0d35e70a66d682ee8fdecf5c8ea4d2b1419ce684 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3509393 Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#79415}
2022-03-09 10:37:51 +01:00 · 2022-03-09 10:37:51 +01:00 · a664aef0ca
commit a664aef0ca
parent 51ea5508fa
2 changed files with 31 additions and 2 deletions
--- a/src/asmjs/asm-parser.cc
+++ b/src/asmjs/asm-parser.cc
@ -760,7 +760,7 @@ void AsmJsParser::ValidateFunction() {
  ValidateFunctionParams(&params);

  // Check against limit on number of parameters.
-  if (params.size() >= kV8MaxWasmFunctionParams) {
+  if (params.size() > kV8MaxWasmFunctionParams) {
    FAIL("Number of parameters exceeds internal limit");
  }

@ -2246,6 +2246,9 @@ AsmType* AsmJsParser::ValidateCall() {
  // also determined the complete function type and can perform checking against
  // the expected type or update the expected type in case of first occurrence.
  if (function_info->kind == VarKind::kImportedFunction) {
+    if (param_types.size() > kV8MaxWasmFunctionParams) {
+      FAILn("Number of parameters exceeds internal limit");
+    }
    for (auto t : param_specific_types) {
      if (!t->IsA(AsmType::Extern())) {
        FAILn("Imported function args must be type extern");
--- a/test/mjsunit/asm/asm-validation.js
+++ b/test/mjsunit/asm/asm-validation.js
@ -8,7 +8,7 @@
 // valid asm.js and then break them with invalid instantiation arguments. If
 // this script is run more than once (e.g. --stress-opt) then modules remain
 // broken in the second run and assertions would fail. We prevent re-runs.
-// Flags: --nostress-opt
+// Flags: --no-stress-opt

 function assertValidAsm(func) {
  assertTrue(%IsAsmWasmCode(func));
@ -533,3 +533,29 @@ function assertValidAsm(func) {
      /Uint8Array is not a constructor/);
  assertFalse(%IsAsmWasmCode(regress1068355));
 })();
+
+(function TestTooManyParametersToImport() {
+  function MakeModule(num_arguments) {
+    let template = `
+      'use asm';
+      var imported = foreign.imported;
+      function main() {
+        imported(ARGS);
+      }
+
+      return main;
+      `;
+    let args = new Array(num_arguments).fill('0.0').join(', ');
+    return new Function('stdlib', 'foreign', template.replace('ARGS', args));
+  }
+
+  // V8 has an internal limit of 1000 parameters (see wasm-limits.h).
+  let Module1000Params = MakeModule(1000);
+  let Module1001Params = MakeModule(1001);
+
+  Module1000Params({}, {imported: i => i});
+  Module1001Params({}, {imported: i => i});
+
+  assertTrue(%IsAsmWasmCode(Module1000Params));
+  assertFalse(%IsAsmWasmCode(Module1001Params));
+})();