438e7ec6dc
This is a reland of5c3092718e(the CL was reverted because of a Chromium test that is now fixed) Original change's description: > Reland "[asmjs] Properly validate asm.js heap sizes" > > This is a reland of5d69010e26> > Original change's description: > > [asmjs] Properly validate asm.js heap sizes > > > > Enforce both engine limitations and spec (http://asmjs.org/spec/latest/) > > limitations on the size of asm.js heaps. > > > > R=clemensh@chromium.org > > CC=mstarzinger@chromium.org > > > > Bug: chromium:873600 > > Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd > > Reviewed-on: https://chromium-review.googlesource.com/1174411 > > Commit-Queue: Ben Titzer <titzer@chromium.org> > > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > > Cr-Commit-Position: refs/heads/master@{#55163} > > Bug: chromium:873600 > Change-Id: Id24070bda3aafb9e1a32af0732a1b18f633ef932 > Reviewed-on: https://chromium-review.googlesource.com/1179681 > Commit-Queue: Ben Titzer <titzer@chromium.org> > Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> > Cr-Commit-Position: refs/heads/master@{#55193} Bug: chromium:873600 Change-Id: I6eca2a89589070837b109278f964fc8e9a0fd6f1 Reviewed-on: https://chromium-review.googlesource.com/1183081 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#55249}
31 lines
708 B
JavaScript
31 lines
708 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
function module(stdlib,foreign,buffer) {
|
|
"use asm";
|
|
var fl = new stdlib.Uint32Array(buffer);
|
|
function f1(x) {
|
|
x = x | 0;
|
|
fl[0] = x;
|
|
fl[0x10000] = x;
|
|
fl[0x100000] = x;
|
|
}
|
|
return f1;
|
|
}
|
|
|
|
var global = {Uint32Array:Uint32Array};
|
|
var env = {};
|
|
memory = new WebAssembly.Memory({initial:128});
|
|
var buffer = memory.buffer;
|
|
evil_f = module(global,env,buffer);
|
|
|
|
zz = {};
|
|
zz.toString = function() {
|
|
Array.prototype.slice.call([]);
|
|
return 0xffffffff;
|
|
}
|
|
evil_f(3);
|
|
assertThrows(() => memory.grow(1), RangeError);
|
|
evil_f(zz);
|