[wasm] Enforce memory and table limits during instantiation.

src/wasm/wasm-objects.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/wasm/wasm-objects.h"
 #include "src/utils.h"
 
 #include "src/debug/debug-interface.h"
 #include "src/wasm/module-decoder.h"
 #include "src/wasm/wasm-module.h"
@@ skipping 104 matching lines @@
 
 bool WasmModuleObject::IsWasmModuleObject(Object* object) {
   return object->IsJSObject() &&
          JSObject::cast(object)->GetInternalFieldCount() == kFieldCount;
 }
 
 DEFINE_OBJ_GETTER(WasmModuleObject, compiled_module, kCompiledModule,
                   WasmCompiledModule)
 
 Handle<WasmTableObject> WasmTableObject::New(Isolate* isolate, uint32_t initial,
-                                             uint32_t maximum,
+                                             int64_t maximum,
                                              Handle<FixedArray>* js_functions) {
   Handle<JSFunction> table_ctor(
       isolate->native_context()->wasm_table_constructor());
   Handle<JSObject> table_obj = isolate->factory()->NewJSObject(table_ctor);
   *js_functions = isolate->factory()->NewFixedArray(initial);
   Object* null = isolate->heap()->null_value();
   for (int i = 0; i < static_cast<int>(initial); ++i) {
     (*js_functions)->set(i, null);
   }
   table_obj->SetInternalField(kFunctions, *(*js_functions));
-  table_obj->SetInternalField(kMaximum,
-                              static_cast<Object*>(Smi::FromInt(maximum)));
+  Handle<Object> max = isolate->factory()->NewNumber(maximum);
+  table_obj->SetInternalField(kMaximum, *max);
 
   Handle<FixedArray> dispatch_tables = isolate->factory()->NewFixedArray(0);
   table_obj->SetInternalField(kDispatchTables, *dispatch_tables);
   Handle<Symbol> table_sym(isolate->native_context()->wasm_table_sym());
   Object::SetProperty(table_obj, table_sym, table_obj, STRICT).Check();
   return Handle<WasmTableObject>::cast(table_obj);
 }
 
 DEFINE_OBJ_GETTER(WasmTableObject, dispatch_tables, kDispatchTables, FixedArray)
 
@@ skipping 21 matching lines @@
   table_obj->SetInternalField(WasmTableObject::kDispatchTables,
                               *new_dispatch_tables);
 
   return new_dispatch_tables;
 }
 
 DEFINE_OBJ_ACCESSORS(WasmTableObject, functions, kFunctions, FixedArray)
 
 uint32_t WasmTableObject::current_length() { return functions()->length(); }
 
-uint32_t WasmTableObject::maximum_length() {
-  return SafeUint32(GetInternalField(kMaximum));
+bool WasmTableObject::has_maximum_length() {
+  return GetInternalField(kMaximum)->Number() >= 0;
+}
+
+int64_t WasmTableObject::maximum_length() {
+  return static_cast<int64_t>(GetInternalField(kMaximum)->Number());
 }
 
 WasmTableObject* WasmTableObject::cast(Object* object) {
   DCHECK(object && object->IsJSObject());
   // TODO(titzer): brand check for WasmTableObject.
   return reinterpret_cast<WasmTableObject*>(object);
 }
 
 void WasmTableObject::Grow(Isolate* isolate, Handle<WasmTableObject> table,
                            uint32_t count) {
   Handle<FixedArray> dispatch_tables(table->dispatch_tables());
   wasm::GrowDispatchTables(isolate, dispatch_tables,
                            table->functions()->length(), count);
 }
 
 Handle<WasmMemoryObject> WasmMemoryObject::New(Isolate* isolate,
                                                Handle<JSArrayBuffer> buffer,
-                                               int maximum) {
+                                               int32_t maximum) {
   Handle<JSFunction> memory_ctor(
       isolate->native_context()->wasm_memory_constructor());
   Handle<JSObject> memory_obj =
       isolate->factory()->NewJSObject(memory_ctor, TENURED);
   memory_obj->SetInternalField(kArrayBuffer, *buffer);
-  memory_obj->SetInternalField(kMaximum,
-                               static_cast<Object*>(Smi::FromInt(maximum)));
+  Handle<Object> max = isolate->factory()->NewNumber(maximum);
+  memory_obj->SetInternalField(kMaximum, *max);
   Handle<Symbol> memory_sym(isolate->native_context()->wasm_memory_sym());
   Object::SetProperty(memory_obj, memory_sym, memory_obj, STRICT).Check();
   return Handle<WasmMemoryObject>::cast(memory_obj);
 }
 
 DEFINE_OBJ_ACCESSORS(WasmMemoryObject, buffer, kArrayBuffer, JSArrayBuffer)
 DEFINE_OPTIONAL_OBJ_ACCESSORS(WasmMemoryObject, instances_link, kInstancesLink,
                               WasmInstanceWrapper)
 
 uint32_t WasmMemoryObject::current_pages() {
   return SafeUint32(buffer()->byte_length()) / wasm::WasmModule::kPageSize;
 }
 
+bool WasmMemoryObject::has_maximum_pages() {
+  return GetInternalField(kMaximum)->Number() >= 0;
+}
+
 int32_t WasmMemoryObject::maximum_pages() {
-  return SafeInt32(GetInternalField(kMaximum));
+  return static_cast<int32_t>(GetInternalField(kMaximum)->Number());
 }
 
 WasmMemoryObject* WasmMemoryObject::cast(Object* object) {
   DCHECK(object && object->IsJSObject());
   // TODO(titzer): brand check for WasmMemoryObject.
   return reinterpret_cast<WasmMemoryObject*>(object);
 }
 
 void WasmMemoryObject::AddInstance(Isolate* isolate,
                                    Handle<WasmInstanceObject> instance) {
@@ skipping 616 matching lines @@
       !array->get(kPreviousInstanceWrapper)->IsFixedArray())
     return false;
   return true;
 }
 
 void WasmInstanceWrapper::set_instance_object(Handle<JSObject> instance,
                                               Isolate* isolate) {
   Handle<WeakCell> cell = isolate->factory()->NewWeakCell(instance);
   set(kWrapperInstanceObject, *cell);
 }