Bug 1312483: Check that functions assigned to tables are wasm functions earlier before assigning them; r=luke

MozReview-Commit-ID: HNNlvgOxrbG --HG-- extra : rebase_source : e7b0c313459fe777918247ece8b7e810bc054f10
2016-10-24 18:02:19 +02:00 · 2016-10-24 18:02:19 +02:00 · 9c6ff51929
--- a/js/src/asmjs/WasmModule.cpp
+++ b/js/src/asmjs/WasmModule.cpp
@ -595,6 +595,17 @@ Module::initSegments(JSContext* cx,
                                      "elem", "table");
            return false;
        }
+
+        for (uint32_t elemFuncIndex : seg.elemFuncIndices) {
+            if (elemFuncIndex < funcImports.length()) {
+                HandleFunction f = funcImports[elemFuncIndex];
+                if (!IsExportedWasmFunction(f)) {
+                    JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+                                              JSMSG_WASM_BAD_TABLE_VALUE);
+                    return false;
+                }
+            }
+        }
    }

    if (memoryObj) {
@ -630,11 +641,6 @@ Module::initSegments(JSContext* cx,
                MOZ_ASSERT(seg.elemCodeRangeIndices[i] == UINT32_MAX);

                HandleFunction f = funcImports[elemFuncIndex];
-                if (!IsExportedWasmFunction(f)) {
-                    JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_WASM_BAD_TABLE_VALUE);
-                    return false;
-                }
-
                WasmInstanceObject* exportInstanceObj = ExportedFunctionToInstanceObject(f);
                const CodeRange& cr = exportInstanceObj->getExportedFunctionCodeRange(f);
                Instance& exportInstance = exportInstanceObj->instance();
--- a/js/src/jit-test/tests/wasm/import-export.js
+++ b/js/src/jit-test/tests/wasm/import-export.js
@ -438,6 +438,21 @@ assertEq(tbl.get(4)(), 4);
 for (var i = 5; i < 10; i++)
    assertEq(tbl.get(i), null);

+var m = new Module(wasmTextToBinary(`
+    (module
+        (func $their (import "" "func"))
+        (table (import "" "table") 3 anyfunc)
+        (func $my)
+        (elem (i32.const 1) $my)
+        (elem (i32.const 2) $their)
+    )
+`));
+var tbl = new Table({initial:3, element:"anyfunc"});
+assertErrorMessage(() => new Instance(m, { "": { table: tbl, func: () => {}} }), TypeError, /can only assign WebAssembly exported functions to Table/);
+for (var i = 0; i < 3; i++) {
+    assertEq(tbl.get(i), null);
+}
+
 // Cross-instance calls

 var i1 = new Instance(new Module(wasmTextToBinary(`(module (func) (func (param i32) (result i32) (i32.add (get_local 0) (i32.const 1))) (func) (export "f" 1))`)));