[wasm] Fix BigInt imports to asm.js modules
Replacing a crash with a TypeError. Bug: chromium:1203692 Change-Id: I6970f980b46f20033f29c1deb9bc5d49ea2014ae Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2856842 Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#74266}
This commit is contained in:
parent
f436772423
commit
c85723a6f1
@ -1325,11 +1325,15 @@ bool InstanceBuilder::ProcessImportedGlobal(Handle<WasmInstanceObject> instance,
|
||||
// TODO(wasm): Still observable if Function.prototype.valueOf or friends
|
||||
// are patched, we might need to check for that as well.
|
||||
if (value->IsJSFunction()) value = isolate_->factory()->nan_value();
|
||||
if (value->IsPrimitive() && !value->IsSymbol()) {
|
||||
if (global.type == kWasmI32) {
|
||||
value = Object::ToInt32(isolate_, value).ToHandleChecked();
|
||||
} else {
|
||||
value = Object::ToNumber(isolate_, value).ToHandleChecked();
|
||||
if (value->IsPrimitive()) {
|
||||
MaybeHandle<Object> converted = global.type == kWasmI32
|
||||
? Object::ToInt32(isolate_, value)
|
||||
: Object::ToNumber(isolate_, value);
|
||||
if (!converted.ToHandle(&value)) {
|
||||
// Conversion is known to fail for Symbols and BigInts.
|
||||
ReportLinkError("global import must be a number", import_index,
|
||||
module_name, import_name);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
12
test/mjsunit/regress/wasm/regress-crbug-1203692.js
Normal file
12
test/mjsunit/regress/wasm/regress-crbug-1203692.js
Normal file
@ -0,0 +1,12 @@
|
||||
// Copyright 2021 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
function asm(stdlib, foreign) {
|
||||
"use asm";
|
||||
var unused = foreign.a | 0;
|
||||
function fun() { }
|
||||
return fun;
|
||||
}
|
||||
|
||||
assertThrows(() => asm(null, { a: 1n }).fun(), TypeError);
|
Loading…
Reference in New Issue
Block a user