a621462bab
This fixes crashes during validation when trying to construct modules
with excessively large function tables. The {WasmModuleBuilder} now
gracefully checks against existing WebAssembly implementation limits.
R=clemensh@chromium.org
TEST=mjsunit/regress/regress-crbug-715455
BUG=chromium:715455
Change-Id: Ia9738cb0b49a1eb4caf073b75301c0303f295699
Reviewed-on: https://chromium-review.googlesource.com/509530
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45429}
26 lines
730 B
JavaScript
26 lines
730 B
JavaScript
// Copyright 2017 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax
|
|
|
|
function MODULE() {
|
|
"use asm";
|
|
function f() {
|
|
bogus_function_table[0 & LIMIT]();
|
|
}
|
|
return { f:f };
|
|
}
|
|
|
|
var bogus_function_table = [ Object ];
|
|
var test_set = [ 0x3fffffff, 0x7fffffff, 0xffffffff ];
|
|
for (var i = 0; i < test_set.length; ++i) {
|
|
bogus_function_table[i] = Object;
|
|
var src = MODULE.toString();
|
|
src = src.replace(/MODULE/g, "Module" + i);
|
|
src = src.replace(/LIMIT/g, test_set[i]);
|
|
var module = eval("(" + src + ")");
|
|
assertDoesNotThrow(module(this).f());
|
|
assertFalse(%IsAsmWasmCode(module));
|
|
}
|