Skip to content

Commit f6d5504

Browse files
Ben L. TitzerCommit Bot
Ben L. Titzer
authored and
Commit Bot
committed
[wasm] Fix patching of table sizes.
BUG=chromium:752423 [email protected],[email protected] Change-Id: Ie6d80a82cd40b598e917a79842e6639e73be9194 Reviewed-on: https://chromium-review.googlesource.com/606587 Reviewed-by: Mircea Trofin <[email protected]> Commit-Queue: Ben Titzer <[email protected]> Cr-Commit-Position: refs/heads/master@{#47251}
1 parent 7f58863 commit f6d5504

2 files changed

Lines changed: 34 additions & 5 deletions

File tree

src/assembler.cc

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -341,11 +341,7 @@ void RelocInfo::update_wasm_function_table_size_reference(
341341
Isolate* isolate, uint32_t old_size, uint32_t new_size,
342342
ICacheFlushMode icache_flush_mode) {
343343
DCHECK(IsWasmFunctionTableSizeReference(rmode_));
344-
uint32_t current_size_reference = wasm_function_table_size_reference();
345-
uint32_t updated_size_reference =
346-
new_size + (current_size_reference - old_size);
347-
unchecked_update_wasm_size(isolate, updated_size_reference,
348-
icache_flush_mode);
344+
unchecked_update_wasm_size(isolate, new_size, icache_flush_mode);
349345
}
350346

351347
void RelocInfo::set_target_address(Isolate* isolate, Address target,

test/mjsunit/regress/wasm/regress-752423.js

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
// Copyright 2017 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Flags: --expose-wasm
6+
7+
'use strict';
8+
9+
load("test/mjsunit/wasm/wasm-constants.js");
10+
load("test/mjsunit/wasm/wasm-module-builder.js");
11+
12+
var builder = new WasmModuleBuilder();
13+
builder.addImportedTable("x", "table", 1, 10000000);
14+
builder.addFunction("main", kSig_i_i)
15+
.addBody([
16+
kExprI32Const, 0,
17+
kExprGetLocal, 0,
18+
kExprCallIndirect, 0, kTableZero])
19+
.exportAs("main");
20+
let module = new WebAssembly.Module(builder.toBuffer());
21+
let table = new WebAssembly.Table({element: "anyfunc",
22+
initial: 1, maximum:1000000});
23+
let instance = new WebAssembly.Instance(module, {x: {table:table}});
24+
25+
table.grow(0x40001);
26+
27+
let instance2 = new WebAssembly.Instance(module, {x: {table:table}});
28+
29+
try {
30+
instance2.exports.main(402982); // should be OOB
31+
} catch (e) {
32+
print("Correctly caught: ", e);
33+
}

0 commit comments

Comments
 (0)