Skip to content
Permalink
Browse files

[wasm] [interpreter] Fix cross-instance indirect calls

The existing access to the signatures is plain wrong. This CL fixes
this.
Note that cross-instance indirect calls are only enabled since a few
days (https://crrev.com/c/778159), which is why this bug was not
detected before.

R=titzer@chromium.org

Bug: chromium:787910
Change-Id: Iaac4d1d85840c921eb8554c5094933ec8d987802
Reviewed-on: https://chromium-review.googlesource.com/787312
Reviewed-by: Ben Titzer <titzer@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49607}
  • Loading branch information...
hammacher authored and Commit Bot committed Nov 23, 2017
1 parent 6e689c9 commit 0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6
Showing with 27 additions and 2 deletions.
  1. +1 −2 src/wasm/wasm-interpreter.cc
  2. +26 −0 test/mjsunit/wasm/interpreter.js
@@ -2505,8 +2505,7 @@ class ThreadImpl {
// Call the code object. Use a new HandleScope to avoid leaking /
// accumulating handles in the outer scope.
HandleScope handle_scope(isolate);
FunctionSig* signature =
&codemap()->module()->signatures[table_index][sig_index];
FunctionSig* signature = module()->signatures[sig_index];
return CallCodeObject(isolate, handle(target, isolate), signature);
}

@@ -467,3 +467,29 @@ function checkStack(stack, expected_lines) {
table.set(0, instance1.exports.func);
instance2.exports.call_func();
})();

(function testTableCall2() {
// See crbug.com/787910.
print(arguments.callee.name);
const builder1 = new WasmModuleBuilder();
builder1.addFunction('exp', kSig_i_i)
.addBody([kExprI32Const, 0])
.exportFunc();
const instance1 = builder1.instantiate();
const builder2 = new WasmModuleBuilder();
const sig1 = builder2.addType(kSig_i_v);
const sig2 = builder2.addType(kSig_i_i);
builder2.addFunction('call2', kSig_i_v)
.addBody([
kExprI32Const, 0, kExprI32Const, 0, kExprCallIndirect, sig2, kTableZero
])
.exportAs('call2');
builder2.addImportedTable('imp', 'table');
const tab = new WebAssembly.Table({
element: 'anyfunc',
initial: 3,
});
const instance2 = builder2.instantiate({imp: {table: tab}});
tab.set(0, instance1.exports.exp);
instance2.exports.call2();
})();

0 comments on commit 0bc1b96

Please sign in to comment.
You can’t perform that action at this time.