Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: cherry-pick 1 change from Release-2-M122 (#41520)
- Loading branch information
Showing
2 changed files
with
38 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
patches/v8/merged_wasm_add_bounds_check_in_tier-up_of_wasm-to-js_wrapper.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 | ||
| From: Andreas Haas <ahaas@chromium.org> | ||
| Date: Tue, 20 Feb 2024 16:27:22 +0100 | ||
| Subject: Merged: [wasm] Add bounds check in tier-up of wasm-to-js wrapper | ||
|
|
||
| The entry index in the WasmApiFunctionRef was used to look for the given | ||
| WasmApiFunctionRef in the indirect function tables, but it was not | ||
| considered that the indirect function tables can have different lengths. | ||
|
|
||
| R=clemensb@chromium.org | ||
|
|
||
| Bug: 325893559 | ||
|
|
||
| (cherry picked from commit 7330f46163e8a2c10a3d40ecbf554656f0ac55e8) | ||
|
|
||
| Change-Id: I52355890e21490c75566216985680c64e0b0db75 | ||
| Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5323850 | ||
| Commit-Queue: Andreas Haas <ahaas@chromium.org> | ||
| Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> | ||
| Cr-Commit-Position: refs/branch-heads/12.2@{#38} | ||
| Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1} | ||
| Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934} | ||
|
|
||
| diff --git a/src/runtime/runtime-wasm.cc b/src/runtime/runtime-wasm.cc | ||
| index 5f711bc606633bd916356f0eca5799ce63760dbd..1077e6bb3ec359ef540987d030e244f1789aa14d 100644 | ||
| --- a/src/runtime/runtime-wasm.cc | ||
| +++ b/src/runtime/runtime-wasm.cc | ||
| @@ -602,7 +602,8 @@ RUNTIME_FUNCTION(Runtime_TierUpWasmToJSWrapper) { | ||
| for (int table_index = 0; table_index < table_count; ++table_index) { | ||
| Handle<WasmIndirectFunctionTable> table = | ||
| instance->GetIndirectFunctionTable(isolate, table_index); | ||
| - if (table->refs()->get(entry_index) == *ref) { | ||
| + if (entry_index < table->refs()->length() && | ||
| + table->refs()->get(entry_index) == *ref) { | ||
| table->targets() | ||
| ->set<ExternalPointerTag::kWasmIndirectFunctionTargetTag>( | ||
| entry_index, isolate, wasm_code->instruction_start()); |