AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
7cf29d8df3
v8/test/mjsunit/regress/wasm/regression-722445.js
Clemens Hammacher 74519c43fd [wasm] Check for illegal br table count 
The underlying issue is that TF Nodes cannot handle input counts
outside the integer range. On an illegal br_table instruction, we
generated a switch node with a control output count >kMaxInt.
Operator::ControlOutputCount turned this into a negative integer later,
leading to a failing DCHECK.
Since such large numbers cannot occur in any valid wasm function anyway,
we just add an additional check to the br table count. There is already
a TODO in the code to change Operator::ControlOutputCount to size_t.

R=ahaas@chromium.org
BUG=chromium:722445

Change-Id: I1975072226e073dee6c8da3b9fa9a050a4695917
Reviewed-on: https://chromium-review.googlesource.com/505496
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45365}
2017-05-17 09:46:46 +00:00

17 lines
581 B
JavaScript
Raw Blame History

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-constants.js');
load('test/mjsunit/wasm/wasm-module-builder.js');
var builder = new WasmModuleBuilder();
builder.addFunction('f', kSig_v_v).addBody([
kExprI32Const, 0, kExprBrTable,
// 0x80000000 in LEB:
0x80, 0x80, 0x80, 0x80, 0x08,
// First break target. Creation of this node triggered the bug.
0
]);
assertThrows(() => builder.instantiate(), WebAssembly.CompileError);
Reference in New Issue View Git Blame Copy Permalink