AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[wasm] Open CodeSpaceMemoryModificationScope after imports got sanitized

Browse Source 
Within SanitizeImports it is possible that JavaScript code gets executed
therefore we have to open the CodeSpaceMemoryModificationScope after
SanitizeImports.

R=clemensh@chromium.org

Bug: chromium:788469
Change-Id: Ide9bbd4ee4613b28380979d4a6c66d26e6a9406f
Reviewed-on: https://chromium-review.googlesource.com/789936
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49635}
This commit is contained in:
Andreas Haas 2017-11-27 14:15:42 +01:00 committed by Commit Bot
parent e815149402
commit e21bac5b0b
2 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/wasm/module-compiler.cc
View File

@ -1598,11 +1598,6 @@ InstanceBuilder::InstanceBuilder(
// Build an instance, in all of its glory.
MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
// TODO(6792): No longer needed once WebAssembly code is off heap.
// Use base::Optional to be able to close the scope before executing the start
// function.
base::Optional<CodeSpaceMemoryModificationScope> modification_scope(
base::in_place_t(), isolate_->heap());
// Check that an imports argument was provided, if the module requires it.
// No point in continuing otherwise.
if (!module_->import_table.empty() && ffi_.is_null()) {
@ -1614,6 +1609,11 @@ MaybeHandle<WasmInstanceObject> InstanceBuilder::Build() {
SanitizeImports();
if (thrower_->error()) return {};
// TODO(6792): No longer needed once WebAssembly code is off heap.
// Use base::Optional to be able to close the scope before executing the start
// function.
base::Optional<CodeSpaceMemoryModificationScope> modification_scope(
base::in_place_t(), isolate_->heap());
// From here on, we expect the build pipeline to run without exiting to JS.
// Exception is when we run the startup function.
DisallowJavascriptExecution no_js(isolate_);

15
test/mjsunit/wasm/ffi.js
View File

@ -385,3 +385,18 @@ testCallBinopVoid(kWasmF64);
main();
assertEquals(0, num_valueOf);
})();
(function ImportWithCustomGetter() {
print(arguments.callee.name);
const builder = new WasmModuleBuilder();
builder.addImport("import", "func", kSig_v_v);
const ffi = {};
Object.defineProperty(ffi, 'import', {
get: _ => {
return {func: () => null };
}
});
builder.instantiate(ffi);
})();