src/wasm/wasm-js.cc - Issue 2367673003: [wasm] Do a proper HasProperty() check in the memory and table setup.

Side by Side Diff: src/wasm/wasm-js.cc

Issue 2367673003: [wasm] Do a proper HasProperty() check in the memory and table setup. (Closed)

Patch Set: Created 4 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2015 the V8 project authors. All rights reserved.	1 // Copyright 2015 the V8 project authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "src/api-natives.h"	5 #include "src/api-natives.h"

6 #include "src/api.h"	6 #include "src/api.h"

7 #include "src/asmjs/asm-js.h"	7 #include "src/asmjs/asm-js.h"

8 #include "src/asmjs/asm-typer.h"	8 #include "src/asmjs/asm-typer.h"

9 #include "src/asmjs/asm-wasm-builder.h"	9 #include "src/asmjs/asm-wasm-builder.h"

10 #include "src/assert-scope.h"	10 #include "src/assert-scope.h"

(...skipping 292 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
303 return;	303 return;

304 }	304 }

305 v8::ReturnValue<v8::Value> return_value = args.GetReturnValue();	305 v8::ReturnValue<v8::Value> return_value = args.GetReturnValue();

306 return_value.Set(Utils::ToLocal(instance.ToHandleChecked()));	306 return_value.Set(Utils::ToLocal(instance.ToHandleChecked()));

307 }	307 }

308	308

309 bool GetIntegerProperty(v8::Isolate* isolate, ErrorThrower* thrower,	309 bool GetIntegerProperty(v8::Isolate* isolate, ErrorThrower* thrower,

310 Local<Context> context, Local<v8::Object> object,	310 Local<Context> context, Local<v8::Object> object,

311 Local<String> property, int* result, int lower_bound,	311 Local<String> property, int* result, int lower_bound,

312 int upper_bound) {	312 int upper_bound) {

313 v8::MaybeLocal<v8::Value> maybe = object->Get(context, property);	313 v8::MaybeLocal<v8::Value> maybe = object->Get(context, property);
	Franzi 2016/09/23 14:06:49 You're still doing Object::Get(), which I believe You're still doing Object::Get(), which I believe can modify the object. Why don't you use Object::Has()? Franzi 2016/09/23 17:23:28 Never mind, I found the Has() :P Show quoted text On 2016/09/23 at 14:06:49, Franzi wrote: > You're still doing Object::Get(), which I believe can modify the object. Why don't you use Object::Has()? Never mind, I found the Has() :P
314 v8::Local<v8::Value> value;	314 v8::Local<v8::Value> value;

315 if (maybe.ToLocal(&value) && !value->IsUndefined()) {	315 if (maybe.ToLocal(&value)) {

316 int64_t number;	316 int64_t number;

317 if (!value->IntegerValue(context).To(&number)) return false;	317 if (!value->IntegerValue(context).To(&number)) return false;

318 if (number < static_cast<int64_t>(lower_bound)) {	318 if (number < static_cast<int64_t>(lower_bound)) {

319 thrower->RangeError("Property value %" PRId64	319 thrower->RangeError("Property value %" PRId64

320 " is below the lower bound %d",	320 " is below the lower bound %d",

321 number, lower_bound);	321 number, lower_bound);

322 return false;	322 return false;

323 }	323 }

324 if (number > static_cast<int64_t>(std::numeric_limits<int>::max())) {	324 if (number > static_cast<int64_t>(upper_bound)) {

325 thrower->RangeError("Property value %" PRId64 " is out of integer range",

326 number);

327 return false;

328 }

329 int num = static_cast<int>(number);

330 if (num > upper_bound) {

331 thrower->RangeError("Property value %" PRId64	325 thrower->RangeError("Property value %" PRId64

332 " is above the upper bound %d",	326 " is above the upper bound %d",

333 number, upper_bound);	327 number, upper_bound);

334 return false;	328 return false;

335 }	329 }

336 *result = num;	330 *result = static_cast<int>(number);

337 return true;	331 return true;

338 }	332 }

339 return false;	333 return false;

340 }	334 }

341	335

342 void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {	336 void WebAssemblyTable(const v8::FunctionCallbackInfo<v8::Value>& args) {

343 v8::Isolate* isolate = args.GetIsolate();	337 v8::Isolate* isolate = args.GetIsolate();

344 HandleScope scope(isolate);	338 HandleScope scope(isolate);

345 ErrorThrower thrower(reinterpret_cast<i::Isolate*>(isolate),	339 ErrorThrower thrower(reinterpret_cast<i::Isolate*>(isolate),

346 "WebAssembly.Module()");	340 "WebAssembly.Module()");

(...skipping 21 matching lines...) Expand all Loading...
368 const int max_table_size = 1 << 26;	362 const int max_table_size = 1 << 26;

369 // The descriptor's 'initial'.	363 // The descriptor's 'initial'.

370 int initial;	364 int initial;

371 if (!GetIntegerProperty(isolate, &thrower, context, descriptor,	365 if (!GetIntegerProperty(isolate, &thrower, context, descriptor,

372 v8_str(isolate, "initial"), &initial, 0,	366 v8_str(isolate, "initial"), &initial, 0,

373 max_table_size)) {	367 max_table_size)) {

374 return;	368 return;

375 }	369 }

376 // The descriptor's 'maximum'.	370 // The descriptor's 'maximum'.

377 int maximum;	371 int maximum;

378 bool has_maximum = true;	372 Local<String> maximum_key = v8_str(isolate, "maximum");

379 if (!GetIntegerProperty(isolate, &thrower, context, descriptor,	373 Maybe<bool> maybe_has_maximum = descriptor->Has(context, maximum_key);

380 v8_str(isolate, "maximum"), &maximum, initial,	374

381 max_table_size)) {	375 bool has_maximum;
	Franzi 2016/09/23 17:23:28 I'd prefer to inline maybe_has_max and is_just. I I'd prefer to inline maybe_has_max and is_just. I think you can do Maybe<bool> has_maximum = desc->Has(); if (has_maximum.IsNothing()) return; if (has_maximum.FromJust()) { // get integer property } ahaas 2016/09/26 09:19:12 Thanks, done. Show quoted text On 2016/09/23 at 17:23:28, Franzi wrote: > I'd prefer to inline maybe_has_max and is_just. > I think you can do > > Maybe<bool> has_maximum = desc->Has(); > if (has_maximum.IsNothing()) return; > if (has_maximum.FromJust()) { > // get integer property > } Thanks, done.
382 if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() \|\|	376 bool is_just = maybe_has_maximum.To(&has_maximum);

383 thrower.error()) {	377 if (!is_just) {

	378 // There has been an exception, just return.

	379 return;

	380 }

	381 if (has_maximum) {

	382 if (!GetIntegerProperty(isolate, &thrower, context, descriptor, maximum_key,

	383 &maximum, initial, max_table_size)) {

384 return;	384 return;

385 } else {

386 // There was no error, the property just does not exist.

387 has_maximum = false;

388 }	385 }

389 }	386 }

390	387

391 i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);	388 i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);

392 i::Handle<i::JSFunction> table_cons(	389 i::Handle<i::JSFunction> table_cons(

393 i_isolate->native_context()->wasm_table_constructor());	390 i_isolate->native_context()->wasm_table_constructor());

394 i::Handle<i::JSObject> table_obj =	391 i::Handle<i::JSObject> table_obj =

395 i_isolate->factory()->NewJSObject(table_cons);	392 i_isolate->factory()->NewJSObject(table_cons);

396 i::Handle<i::FixedArray> fixed_array =	393 i::Handle<i::FixedArray> fixed_array =

397 i_isolate->factory()->NewFixedArray(initial);	394 i_isolate->factory()->NewFixedArray(initial);

(...skipping 15 matching lines...) Expand all Loading...
413 ErrorThrower thrower(reinterpret_cast<i::Isolate*>(isolate),	410 ErrorThrower thrower(reinterpret_cast<i::Isolate*>(isolate),

414 "WebAssembly.Module()");	411 "WebAssembly.Module()");

415 if (args.Length() < 1 \|\| !args[0]->IsObject()) {	412 if (args.Length() < 1 \|\| !args[0]->IsObject()) {

416 thrower.TypeError("Argument 0 must be a table descriptor");	413 thrower.TypeError("Argument 0 must be a table descriptor");

417 return;	414 return;

418 }	415 }

419 Local<Context> context = isolate->GetCurrentContext();	416 Local<Context> context = isolate->GetCurrentContext();

420 Local<v8::Object> descriptor = args[0]->ToObject(context).ToLocalChecked();	417 Local<v8::Object> descriptor = args[0]->ToObject(context).ToLocalChecked();

421 // The descriptor's 'initial'.	418 // The descriptor's 'initial'.

422 int initial;	419 int initial;

423 GetIntegerProperty(isolate, &thrower, context, descriptor,	420 if (!GetIntegerProperty(isolate, &thrower, context, descriptor,

424 v8_str(isolate, "initial"), &initial, 0, 65536);	421 v8_str(isolate, "initial"), &initial, 0, 65536)) {

	422 return;

	423 }

425 // The descriptor's 'maximum'.	424 // The descriptor's 'maximum'.

426 int maximum;	425 int maximum;

427 bool has_maximum = true;	426 Local<String> maximum_key = v8_str(isolate, "maximum");

428 if (!GetIntegerProperty(isolate, &thrower, context, descriptor,	427 Maybe<bool> maybe_has_maximum = descriptor->Has(context, maximum_key);

429 v8_str(isolate, "maximum"), &maximum, initial,	428

430 65536)) {	429 bool has_maximum;

431 if (reinterpret_cast<i::Isolate*>(isolate)->has_pending_exception() \|\|	430 bool is_just = maybe_has_maximum.To(&has_maximum);
	Franzi 2016/09/23 17:23:28 Same as above. Same as above. ahaas 2016/09/26 09:19:12 Done. Show quoted text On 2016/09/23 at 17:23:28, Franzi wrote: > Same as above. Done.
432 thrower.error()) {	431 if (!is_just) {

	432 // There has been an exception, just return.

	433 return;

	434 }

	435 if (has_maximum) {

	436 if (!GetIntegerProperty(isolate, &thrower, context, descriptor, maximum_key,

	437 &maximum, initial, 65536)) {

433 return;	438 return;

434 } else {

435 // There was no error, the property just does not exist.

436 has_maximum = false;

437 }	439 }

438 }	440 }

439 i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);	441 i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);

440 i::Handle<i::JSFunction> memory_cons(	442 i::Handle<i::JSFunction> memory_cons(

441 i_isolate->native_context()->wasm_memory_constructor());	443 i_isolate->native_context()->wasm_memory_constructor());

442 i::Handle<i::JSObject> memory_obj =	444 i::Handle<i::JSObject> memory_obj =

443 i_isolate->factory()->NewJSObject(memory_cons);	445 i_isolate->factory()->NewJSObject(memory_cons);

444 i::Handle<i::JSArrayBuffer> buffer =	446 i::Handle<i::JSArrayBuffer> buffer =

445 i_isolate->factory()->NewJSArrayBuffer(i::SharedFlag::kNotShared);	447 i_isolate->factory()->NewJSArrayBuffer(i::SharedFlag::kNotShared);

446 size_t size = static_cast<size_t>(i::wasm::WasmModule::kPageSize) *	448 size_t size = static_cast<size_t>(i::wasm::WasmModule::kPageSize) *

(...skipping 241 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
688 int unused_property_fields = in_object_properties - pre_allocated;	690 int unused_property_fields = in_object_properties - pre_allocated;

689 Handle<Map> map = Map::CopyInitialMap(	691 Handle<Map> map = Map::CopyInitialMap(

690 prev_map, instance_size, in_object_properties, unused_property_fields);	692 prev_map, instance_size, in_object_properties, unused_property_fields);

691	693

692 context->set_wasm_function_map(*map);	694 context->set_wasm_function_map(*map);

693 }	695 }

694 }	696 }

695	697

696 } // namespace internal	698 } // namespace internal

697 } // namespace v8	699 } // namespace v8

OLD	NEW

« no previous file with comments | « no previous file | test/mjsunit/wasm/memory.js » ('j') | test/mjsunit/wasm/memory.js » ('J')