[asm.js] Check that function table indices are intish.

R=titzer@chromium.org TEST=mjsunit/regress/regress-crbug-969368 BUG=chromium:969368 Change-Id: If8cdd3a170c3c0e487daa2c2dd9e347fb8eabafd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662571 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#62226}
2019-06-17 18:18:37 +02:00 · 2019-06-17 18:18:37 +02:00 · b8474e7022
commit b8474e7022
parent 595813c6c4
2 changed files with 24 additions and 1 deletions
--- a/src/asmjs/asm-parser.cc
+++ b/src/asmjs/asm-parser.cc
@ -2108,7 +2108,11 @@ AsmType* AsmJsParser::ValidateCall() {
  // need to match the information stored at this point.
  base::Optional<TemporaryVariableScope> tmp;
  if (Check('[')) {
-    RECURSEn(EqualityExpression());
+    AsmType* index = nullptr;
+    RECURSEn(index = EqualityExpression());
+    if (!index->IsA(AsmType::Intish())) {
+      FAILn("Expected intish index");
+    }
    EXPECT_TOKENn('&');
    uint32_t mask = 0;
    if (!CheckForUnsigned(&mask)) {
--- a/test/mjsunit/regress/regress-crbug-969368.js
+++ b/test/mjsunit/regress/regress-crbug-969368.js
@ -0,0 +1,19 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function Module() {
+  'use asm';
+  function f() {}
+  function g() {
+    var x = 0.0;
+    table[x & 3]();
+  }
+  var table = [f, f, f, f];
+  return { g: g };
+}
+var m = Module();
+assertDoesNotThrow(m.g);
+assertFalse(%IsAsmWasmCode(Module));