Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(67)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/compiler/wasm-compiler.cc

Issue 2373613004: [wasm] Fix bounds check of a store instruction after a grow_memory instruction (Closed)
Patch Set: Ben's review Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | test/cctest/wasm/test-run-wasm-module.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 the V8 project authors. All rights reserved. 1 // Copyright 2015 the V8 project authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "src/compiler/wasm-compiler.h" 5 #include "src/compiler/wasm-compiler.h"
6 6
7 #include <memory> 7 #include <memory>
8 8
9 #include "src/isolate-inl.h" 9 #include "src/isolate-inl.h"
10 10
(...skipping 2752 matching lines...) Expand 10 before | Expand all | Expand 10 after
2763 2763
2764 void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index, 2764 void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
2765 uint32_t offset, 2765 uint32_t offset,
2766 wasm::WasmCodePosition position) { 2766 wasm::WasmCodePosition position) {
2767 DCHECK(module_ && module_->instance); 2767 DCHECK(module_ && module_->instance);
2768 uint32_t size = module_->instance->mem_size; 2768 uint32_t size = module_->instance->mem_size;
2769 byte memsize = wasm::WasmOpcodes::MemSize(memtype); 2769 byte memsize = wasm::WasmOpcodes::MemSize(memtype);
2770 2770
2771 // Check against the effective size. 2771 // Check against the effective size.
2772 size_t effective_size; 2772 size_t effective_size;
2773 if (offset >= size || (static_cast<uint64_t>(offset) + memsize) > size) { 2773 if (size == 0) {
2774 effective_size = 0; 2774 effective_size = 0;
2775 } else if (offset >= size ||
2776 (static_cast<uint64_t>(offset) + memsize) > size) {
2777 // Two checks are needed in the case where the offset is statically
2778 // out of bounds; one check for the offset being in bounds, and the next for
2779 // the offset + index being out of bounds for code to be patched correctly
2780 // on relocation.
2781 effective_size = size - memsize + 1;
2782 Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(),
2783 jsgraph()->IntPtrConstant(offset),
2784 jsgraph()->RelocatableInt32Constant(
2785 static_cast<uint32_t>(effective_size),
2786 RelocInfo::WASM_MEMORY_SIZE_REFERENCE));
2787 trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
2788 DCHECK(offset >= effective_size);
2789 effective_size = offset - effective_size;
2775 } else { 2790 } else {
2776 effective_size = size - offset - memsize + 1; 2791 effective_size = size - offset - memsize + 1;
2777 } 2792 CHECK(effective_size <= kMaxUInt32);
2778 CHECK(effective_size <= kMaxUInt32);
2779 2793
2780 Uint32Matcher m(index); 2794 Uint32Matcher m(index);
2781 if (m.HasValue()) { 2795 if (m.HasValue()) {
2782 uint32_t value = m.Value(); 2796 uint32_t value = m.Value();
2783 if (value < effective_size) { 2797 if (value < effective_size) {
2784 // The bounds check will always succeed. 2798 // The bounds check will always succeed.
2785 return; 2799 return;
2800 }
2786 } 2801 }
2787 } 2802 }
2788 2803
2789 Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), index, 2804 Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), index,
2790 jsgraph()->RelocatableInt32Constant( 2805 jsgraph()->RelocatableInt32Constant(
2791 static_cast<uint32_t>(effective_size), 2806 static_cast<uint32_t>(effective_size),
2792 RelocInfo::WASM_MEMORY_SIZE_REFERENCE)); 2807 RelocInfo::WASM_MEMORY_SIZE_REFERENCE));
2793 trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position); 2808 trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
2794 } 2809 }
2795 2810
(...skipping 514 matching lines...) Expand 10 before | Expand all | Expand 10 after
3310 function_->code_start_offset), 3325 function_->code_start_offset),
3311 compile_ms); 3326 compile_ms);
3312 } 3327 }
3313 3328
3314 return code; 3329 return code;
3315 } 3330 }
3316 3331
3317 } // namespace compiler 3332 } // namespace compiler
3318 } // namespace internal 3333 } // namespace internal
3319 } // namespace v8 3334 } // namespace v8
OLDNEW
« no previous file with comments | « no previous file | test/cctest/wasm/test-run-wasm-module.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698