jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-05-15 17:51:35 +00:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity
a21af4bfb5
node/deps/v8/test/mjsunit/sandbox/wasm-table-import.js
Michaël Zasso 9d7cd9b864
deps: update V8 to 12.8.374.13 
PR-URL: https://github.com/nodejs/node/pull/54077
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
2024-08-16 16:03:01 +02:00

73 lines
2.4 KiB
JavaScript
Raw Blame History

// Copyright 2024 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --sandbox-testing
d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
// module 0
let builder = new WasmModuleBuilder();
let $struct = builder.addStruct([makeField(kWasmI64, true)]);
let $sig0 = builder.addType(makeSig([wasmRefType($struct), kWasmI64], []));
let $sig1_0 = builder.addType(makeSig([kWasmI64, kWasmI64], []));
let $writer = builder.addFunction("writer", $sig0)
.exportFunc()
.addBody([
kExprLocalGet, 0,
kExprLocalGet, 1,
kGCPrefix, kExprStructSet, $struct, 0,
]);
let $placeholder = builder.addFunction("placeholder", $sig1_0).addBody([]);
let $t0 = builder
.addTable(wasmRefType($sig0), 1, 1, [kExprRefFunc, $writer.index])
.exportAs('table0');
let $t1 = builder
.addTable(wasmRefType($sig1_0), 1, 1, [kExprRefFunc, $placeholder.index])
.exportAs('table1');
let instance0 = builder.instantiate();
let { writer, table0, table1 } = instance0.exports;
// module 1
builder = new WasmModuleBuilder();
// $sig_1_1 and $sig1_0 are canonicalized to the same index.
let $sig1_1 = builder.addType(makeSig([kWasmI64, kWasmI64], []));
let $boom = builder.addFunction("boom", $sig1_1)
.exportFunc()
.addBody([
kExprLocalGet, 1,
kExprLocalGet, 0,
kExprI32Const, 0,
kExprCallIndirect, $sig1_1, 0,
]);
let $t_imp =
builder.addImportedTable('import', 'table', 1, 1, wasmRefType($sig1_1));
// Prepare corruption utilities.
const kHeapObjectTag = 1;
const kWasmTableEntriesOffset = 12;
let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));
function getPtr(obj) {
return Sandbox.getAddressOf(obj) + kHeapObjectTag;
}
function getField(obj, offset) {
return memory.getUint32(obj + offset - kHeapObjectTag, true);
}
function setField(obj, offset, value) {
memory.setUint32(obj + offset - kHeapObjectTag, value, true);
}
// Set table1.entries[0] = table0.entries[0].
let t0_entries = getField(getPtr(table0), kWasmTableEntriesOffset);
let t0_entry = getField(t0_entries, 8);
let t1_entries = getField(getPtr(table1), kWasmTableEntriesOffset);
setField(t1_entries, 8, t0_entry);
// All checks pass - table type already equivalent, but entry replaced.
let instance1 = builder.instantiate({'import': {'table': table1}});
instance1.exports.boom(BigInt(Sandbox.targetPage) - 0x7n, 42n);
assertUnreachable("Process should have been killed.");
Reference in New Issue View Git Blame Copy Permalink