jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-05-15 16:01:52 +00:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity
a21af4bfb5
node/deps/v8/test/mjsunit/sandbox/wasm-table-wasmjsfunction.js
Michaël Zasso 9d7cd9b864
deps: update V8 to 12.8.374.13 
PR-URL: https://github.com/nodejs/node/pull/54077
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
2024-08-16 16:03:01 +02:00

86 lines
2.7 KiB
JavaScript
Raw Blame History

// Copyright 2024 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --sandbox-testing --experimental-wasm-type-reflection
d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
// module 0
let builder = new WasmModuleBuilder();
let $struct = builder.addStruct([makeField(kWasmI64, true)]);
let $sig0 = builder.addType(makeSig([], [wasmRefType($struct)]));
let sig1 = kSig_l_v;
let $sig1 = builder.addType(sig1);
let $sig0_func = builder.addFunction("sig0_placeholder", $sig0).addBody([
kGCPrefix, kExprStructNewDefault, $struct
]);
let $sig1_func = builder.addFunction("placeholder", $sig1).addBody([
kExprI64Const, 0,
]);
let $t0 = builder
.addTable(wasmRefType($sig0), 1, 1, [kExprRefFunc, $sig0_func.index])
.exportAs('table0');
let $t1 = builder
.addTable(wasmRefType($sig1), 1, 1, [kExprRefFunc, $sig1_func.index])
.exportAs('table1');
let instance0 = builder.instantiate();
let { table0, table1 } = instance0.exports;
// module 1
builder = new WasmModuleBuilder();
$struct = builder.addStruct([makeField(kWasmI64, true)]);
$sig0 = builder.addType(makeSig([], [wasmRefType($struct)]));
$sig1 = builder.addType(sig1);
let $boom = builder.addFunction("boom", kSig_v_v)
.exportFunc()
.addBody([
kExprI32Const, 0,
kExprCallIndirect, $sig0, 0,
kExprI64Const, 12,
kGCPrefix, kExprStructSet, $struct, 0,
]);
let $t_imp =
builder.addImportedTable('import', 'table', 1, 1, wasmRefType($sig0));
// Prepare corruption utilities.
const kHeapObjectTag = 1;
const kWasmTableObjectTypeOffset = 28;
let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));
function getPtr(obj) {
return Sandbox.getAddressOf(obj) + kHeapObjectTag;
}
function getField(obj, offset) {
return memory.getUint32(obj + offset - kHeapObjectTag, true);
}
function setField(obj, offset, value) {
memory.setUint32(obj + offset - kHeapObjectTag, value, true);
}
const kRef = 9;
const kSmiTagSize = 1;
const kHeapTypeShift = 5;
// Put a WasmJSFunction into table1 while it still has type $sig1.
table1.set(0, new WebAssembly.Function(
{parameters: [], results: ['i64']},
() => BigInt(Sandbox.targetPage)));
// Now set table1's type to $sig0.
let t0 = getPtr(table0);
let t1 = getPtr(table1);
let t0_type = getField(t0, kWasmTableObjectTypeOffset);
let expected_old_type = (($sig1 << kHeapTypeShift) | kRef) << kSmiTagSize;
assertEquals(expected_old_type, getField(t1, kWasmTableObjectTypeOffset));
setField(t1, kWasmTableObjectTypeOffset, t0_type);
// Instantiation accepts the table due to its corrupted type.
let instance1 = builder.instantiate({'import': {'table': table1}});
instance1.exports.boom();
assertUnreachable("Process should have been killed.");
Reference in New Issue View Git Blame Copy Permalink