AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[asm.js] Check that function table indices are intish.

Browse Source 
R=titzer@chromium.org
TEST=mjsunit/regress/regress-crbug-969368
BUG=chromium:969368

Change-Id: If8cdd3a170c3c0e487daa2c2dd9e347fb8eabafd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1662571
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62226}
This commit is contained in:
Michael Starzinger 2019-06-17 18:18:37 +02:00 committed by Commit Bot
parent 595813c6c4
commit b8474e7022
2 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/asmjs/asm-parser.cc
View File

@ -2108,7 +2108,11 @@ AsmType* AsmJsParser::ValidateCall() {
// need to match the information stored at this point. // need to match the information stored at this point.
base::Optional<TemporaryVariableScope> tmp; base::Optional<TemporaryVariableScope> tmp;
if (Check('[')) { if (Check('[')) {
RECURSEn(EqualityExpression()); AsmType* index = nullptr;
RECURSEn(index = EqualityExpression());
if (!index->IsA(AsmType::Intish())) {
FAILn("Expected intish index");
}
EXPECT_TOKENn('&'); EXPECT_TOKENn('&');
uint32_t mask = 0; uint32_t mask = 0;
if (!CheckForUnsigned(&mask)) { if (!CheckForUnsigned(&mask)) {

19
test/mjsunit/regress/regress-crbug-969368.js Normal file
View File

@ -0,0 +1,19 @@
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function Module() {
'use asm';
function f() {}
function g() {
var x = 0.0;
table[x & 3]();
}
var table = [f, f, f, f];
return { g: g };
}
var m = Module();
assertDoesNotThrow(m.g);
assertFalse(%IsAsmWasmCode(Module));