v8/test/mjsunit/regress/wasm/regression-737069.js
Andreas Haas a15030304a [wasm] Check that a function body exists before verifying it.
R=clemensh@chromium.org
BUG=chromium:737069

Change-Id: Ic651c8e84eb8d3e1181355cf44aadf4c4009245b
Reviewed-on: https://chromium-review.googlesource.com/552145
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46285}
2017-06-28 12:35:36 +00:00

36 lines
1.1 KiB
JavaScript

// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --expose-wasm
load("test/mjsunit/wasm/wasm-constants.js");
load("test/mjsunit/wasm/wasm-module-builder.js");
let binary = new Binary;
binary.emit_header();
binary.emit_section(kTypeSectionCode, section => {
section.emit_u32v(1); // number of types
section.emit_u8(kWasmFunctionTypeForm);
section.emit_u32v(0); // number of parameters
section.emit_u32v(0); // number of returns
});
binary.emit_section(kFunctionSectionCode, section => {
section.emit_u32v(1); // number of functions
section.emit_u32v(0); // type index
});
binary.emit_u8(kCodeSectionCode);
binary.emit_u8(0x02); // section length
binary.emit_u8(0x01); // number of functions
binary.emit_u8(0x40); // function body size
// Function body is missing here.
let buffer = new ArrayBuffer(binary.length);
let view = new Uint8Array(buffer);
for (let i = 0; i < binary.length; i++) {
view[i] = binary[i] | 0;
}
WebAssembly.validate(buffer);