[wasm] Extend wasm object validation to WasmCompiledModule

src/wasm/wasm-module.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 
 #include "src/base/atomic-utils.h"
 #include "src/code-stubs.h"
 
 #include "src/macro-assembler.h"
@@ skipping 1109 matching lines @@
   // TODO(wasm): saving the module bytes for debugging is wasteful. We should
   // consider downloading this on-demand.
   {
     size_t module_bytes_len = module_end - module_start;
     DCHECK_LE(module_bytes_len, static_cast<size_t>(kMaxInt));
     Vector<const uint8_t> module_bytes_vec(module_start,
                                            static_cast<int>(module_bytes_len));
     Handle<String> module_bytes_string =
         factory->NewStringFromOneByte(module_bytes_vec, TENURED)
             .ToHandleChecked();
-    ret->set_module_bytes(module_bytes_string);
+    DCHECK(module_bytes_string->IsSeqOneByteString());
+    ret->set_module_bytes(Handle<SeqOneByteString>::cast(module_bytes_string));
   }
 
   Handle<ByteArray> function_name_table =
       BuildFunctionNamesTable(isolate, module_env.module);
   ret->set_function_names(function_name_table);
   if (data_segments.size() > 0) SaveDataSegmentInfo(factory, this, ret);
   DCHECK_EQ(ret->default_mem_size(), temp_instance.mem_size);
   return ret;
 }
 
@@ skipping 160 matching lines @@
     if (num_imported_functions < 0) return nothing;
 
     //--------------------------------------------------------------------------
     // Process the initialization for the module's globals.
     //--------------------------------------------------------------------------
     ProcessInits(globals);
 
     //--------------------------------------------------------------------------
     // Set up the debug support for the new instance.
     //--------------------------------------------------------------------------
-    // TODO(wasm): avoid referencing this stuff from the instance, use it off
-    // the compiled module instead. See the following 3 assignments:
+    // TODO(clemensh): avoid referencing this stuff from the instance, use it
+    // off the compiled module instead. See the following 3 assignments:
     if (compiled_module_->has_module_bytes()) {
       instance->SetInternalField(kWasmModuleBytesString,
                                  compiled_module_->ptr_to_module_bytes());
     }
 
     if (compiled_module_->has_function_names()) {
       instance->SetInternalField(kWasmFunctionNamesArray,
                                  compiled_module_->ptr_to_function_names());
     }
 
@@ skipping 83 matching lines @@
       Handle<Object> undefined = factory->undefined_value();
       MaybeHandle<Object> retval =
           Execution::Call(isolate_, startup_fct, undefined, 0, nullptr);
 
       if (retval.is_null()) {
         thrower_->Error("WASM.instantiateModule(): start function failed");
         return nothing;
       }
     }
 
-    DCHECK(wasm::IsWasmObject(*instance));
-
     {
       Handle<WeakCell> link_to_owner = factory->NewWeakCell(instance);
 
       Handle<Object> global_handle =
           isolate_->global_handles()->Create(*instance);
       Handle<WeakCell> link_to_clone = factory->NewWeakCell(compiled_module_);
       {
         DisallowHeapAllocation no_gc;
         compiled_module_->set_weak_owning_instance(link_to_owner);
         Handle<WeakCell> next;
         if (link_to_original.ToHandle(&next) && !next->cleared()) {
           WasmCompiledModule* original =
               WasmCompiledModule::cast(next->value());
           DCHECK(original->has_weak_owning_instance());
           DCHECK(!original->weak_owning_instance()->cleared());
           compiled_module_->set_weak_next_instance(next);
           original->set_weak_prev_instance(link_to_clone);
         }
 
         compiled_module_->set_weak_owning_instance(link_to_owner);
         instance->SetInternalField(kWasmCompiledModule, *compiled_module_);
         GlobalHandles::MakeWeak(global_handle.location(),
                                 global_handle.location(), &InstanceFinalizer,
                                 v8::WeakCallbackType::kFinalizer);
       }
     }
+
+    DCHECK(wasm::IsWasmObject(*instance));
+
     TRACE("Finishing instance %d\n", compiled_module_->instance_id());
     TRACE_CHAIN(WasmCompiledModule::cast(module_object_->GetInternalField(0)));
     return instance;
   }
 
  private:
   Isolate* isolate_;
   ErrorThrower* thrower_;
   Handle<JSObject> module_object_;
   Handle<JSReceiver> ffi_;
@@ skipping 410 matching lines @@
       isolate->factory()->NewFixedArray(PropertyIndices::Count, TENURED);
   // Globals size is expected to fit into an int without overflow. This is not
   // supported by the spec at the moment, however, we don't support array
   // buffer sizes over 1g, so, for now, we avoid alocating a HeapNumber for
   // the globals size. The CHECK guards this assumption.
   CHECK_GE(static_cast<int>(globals_size), 0);
   ret->set(kID_min_memory_pages,
            Smi::FromInt(static_cast<int>(min_memory_pages)));
   ret->set(kID_globals_size, Smi::FromInt(static_cast<int>(globals_size)));
   ret->set(kID_origin, Smi::FromInt(static_cast<int>(origin)));
-  WasmCompiledModule::cast(*ret)->Init();
-  return handle(WasmCompiledModule::cast(*ret));
+
+  // WasmCompiledModule::cast would fail since module bytes are not set yet.
+  Handle<WasmCompiledModule> module(reinterpret_cast<WasmCompiledModule*>(*ret),
+                                    isolate);
+  module->Init();
+  return module;
 }
 
 void WasmCompiledModule::Init() {
 #if DEBUG
   static uint32_t instance_id_counter = 0;
   set(kID_instance_id, Smi::FromInt(instance_id_counter++));
   TRACE("New compiled module id: %d\n", instance_id());
 #endif
 }
 
+bool WasmCompiledModule::IsWasmCompiledModule(Object* obj) {
+  if (!obj->IsFixedArray()) return false;
+  FixedArray* arr = FixedArray::cast(obj);
+  if (arr->length() != PropertyIndices::Count) return false;
+  Isolate* isolate = arr->GetIsolate();
+#define WCM_CHECK_SMALL_NUMBER(TYPE, NAME) \
+  if (!arr->get(kID_##NAME)->IsSmi()) return false;
+#define WCM_CHECK_OBJECT_OR_WEAK(TYPE, NAME)         \
+  if (!arr->get(kID_##NAME)->IsUndefined(isolate) && \
+      !arr->get(kID_##NAME)->Is##TYPE())             \
+    return false;
+#define WCM_CHECK_OBJECT(TYPE, NAME) WCM_CHECK_OBJECT_OR_WEAK(TYPE, NAME)
+#define WCM_CHECK_WEAK_LINK(TYPE, NAME) WCM_CHECK_OBJECT_OR_WEAK(WeakCell, NAME)
+#define WCM_CHECK(KIND, TYPE, NAME) WCM_CHECK_##KIND(TYPE, NAME)
+  WCM_PROPERTY_TABLE(WCM_CHECK)
+#undef WCM_CHECK
+
+  WasmCompiledModule* compiled_module =
+      reinterpret_cast<WasmCompiledModule*>(obj);
+  if (!compiled_module->has_module_bytes()) return false;
+  SeqOneByteString* module_bytes = compiled_module->ptr_to_module_bytes();
+  if (module_bytes->length() < 4) return false;
+  if (memcmp(module_bytes->GetChars(), "\0asm", 4)) return false;
+
+  // All checks passed.
+  return true;
+}
+
 void WasmCompiledModule::PrintInstancesChain() {
 #if DEBUG
   if (!FLAG_trace_wasm_instances) return;
   for (WasmCompiledModule* current = this; current != nullptr;) {
     PrintF("->%d", current->instance_id());
     if (current->ptr_to_weak_next_instance() == nullptr) break;
     CHECK(!current->ptr_to_weak_next_instance()->cleared());
     current =
         WasmCompiledModule::cast(current->ptr_to_weak_next_instance()->value());
   }
@@ skipping 32 matching lines @@
 bool IsWasmObject(Object* object) {
   if (!object->IsJSObject()) return false;
 
   JSObject* obj = JSObject::cast(object);
   Isolate* isolate = obj->GetIsolate();
   if (obj->GetInternalFieldCount() != kWasmModuleInternalFieldCount) {
     return false;
   }
 
   Object* mem = obj->GetInternalField(kWasmMemArrayBuffer);
-  if (obj->GetInternalField(kWasmModuleCodeTable)->IsFixedArray() &&
-      (mem->IsUndefined(isolate) || mem->IsJSArrayBuffer()) &&
-      obj->GetInternalField(kWasmFunctionNamesArray)->IsByteArray()) {
-    Object* debug_bytes = obj->GetInternalField(kWasmModuleBytesString);
-    if (!debug_bytes->IsUndefined(isolate)) {
-      if (!debug_bytes->IsSeqOneByteString()) {
-        return false;
-      }
-      DisallowHeapAllocation no_gc;
-      SeqOneByteString* bytes = SeqOneByteString::cast(debug_bytes);
-      if (bytes->length() < 4) return false;
-      if (memcmp(bytes->GetChars(), "\0asm", 4)) return false;
-      // All checks passed.
-    }
-    return true;
+  if (!obj->GetInternalField(kWasmModuleCodeTable)->IsFixedArray() ||
+      !(mem->IsUndefined(isolate) || mem->IsJSArrayBuffer()) ||
+      !obj->GetInternalField(kWasmFunctionNamesArray)->IsByteArray() ||
+      !WasmCompiledModule::IsWasmCompiledModule(
+          obj->GetInternalField(kWasmCompiledModule))) {
+    return false;
   }
-  return false;
+
+  // All checks passed.
+  return true;
 }
 
 SeqOneByteString* GetWasmBytes(JSObject* wasm) {
   return SeqOneByteString::cast(wasm->GetInternalField(kWasmModuleBytesString));
 }
 
 Handle<WasmDebugInfo> GetDebugInfo(Handle<JSObject> wasm) {
   Handle<Object> info(wasm->GetInternalField(kWasmDebugInfo),
                       wasm->GetIsolate());
   if (!info->IsUndefined(wasm->GetIsolate()))
@@ skipping 259 matching lines @@
   WasmCompiledModule* compiled_module =
       WasmCompiledModule::cast(instance->GetInternalField(kWasmCompiledModule));
   CHECK(compiled_module->has_weak_module_object());
   CHECK(compiled_module->ptr_to_weak_module_object()->cleared());
 }
 
 }  // namespace testing
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8