[wasm] Fix DCHECK handiling pending exceptions.

+ additional fixes uncovered by bug, and addressed remaining feedback from original CL (https://codereview.chromium.org/2806073002/). Note that the regression test differs slightly from the bug reported one, in that it catches the RangeError which will eventually be thrown due to call stack size being exceeded. BUG=chromium:712569 Review-Url: https://codereview.chromium.org/2825073002 Cr-Commit-Position: refs/heads/master@{#44700}
zhuzhuaicoding · Apr 18, 2017 · 9cc6729 · 9cc6729
1 parent 5930e0a
commit 9cc6729
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 8 deletions.
diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
@@ -32,12 +32,15 @@ namespace v8 {
 
 namespace {
 
-#define ASSIGN(type, var, expr)                   \
-  Local<type> var;                                \
-  do {                                            \
-    if (!expr.ToLocal(&var)) {                    \
-      DCHECK(i_isolate->has_pending_exception()); \
-    }                                             \
+#define ASSIGN(type, var, expr)                      \
+  Local<type> var;                                   \
+  do {                                               \
+    if (!expr.ToLocal(&var)) {                       \
+      DCHECK(i_isolate->has_scheduled_exception());  \
+      return;                                        \
+    } else {                                         \
+      DCHECK(!i_isolate->has_scheduled_exception()); \
+    }                                                \
   } while (false)
 
 // TODO(wasm): move brand check to the respective types, and don't throw
@@ -125,7 +128,7 @@ i::wasm::ModuleWireBytes GetFirstArgumentAsBytes(
   return i::wasm::ModuleWireBytes(start, start + length);
 }
 
-i::MaybeHandle<i::JSReceiver> GetValueAsImports(const Local<Value>& arg,
+i::MaybeHandle<i::JSReceiver> GetValueAsImports(Local<Value> arg,
                                                 ErrorThrower* thrower) {
   if (arg->IsUndefined()) return {};
 
@@ -320,8 +323,9 @@ void WebAssemblyInstantiateToPairCallback(
   const uint8_t* module_str = reinterpret_cast<const uint8_t*>("module");
   Local<Value> instance;
   if (!WebAssemblyInstantiateImpl(isolate, module, args.Data())
-           .ToLocal(&instance))
+           .ToLocal(&instance)) {
     return;
+  }
 
   Local<Object> ret = Object::New(isolate);
   Local<String> instance_name =

diff --git a/test/mjsunit/regress/wasm/regress-712569.js b/test/mjsunit/regress/wasm/regress-712569.js
@@ -0,0 +1,20 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+
+var v11 = {};
+Object.defineProperty(v11.__proto__, 0, {
+  get: function() {
+  },
+  set: function() {
+    try {
+      WebAssembly.instantiate();
+      v11[0] = 0;
+    } catch (e) {
+      assertTrue(e instanceof RangeError);
+    }
+  }
+});
+v66 = new Array();
+cv = v66; cv[0] = 0.1; cv[2] = 0.2;