[wasm] Fix bounds check of a store instruction after a grow_memory instruction

test/cctest/wasm/test-run-wasm-module.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stdlib.h>
 #include <string.h>
 
 #include "src/wasm/encoder.h"
 #include "src/wasm/module-decoder.h"
 #include "src/wasm/wasm-macro-gen.h"
@@ skipping 16 matching lines @@
   builder->WriteTo(buffer);
 
   Isolate* isolate = CcTest::InitIsolateOnce();
   HandleScope scope(isolate);
   testing::SetupIsolateForWasmModule(isolate);
   int32_t result = testing::CompileAndRunWasmModule(
       isolate, buffer.begin(), buffer.end(), ModuleOrigin::kWasmOrigin);
   CHECK_EQ(expected_result, result);
 }
 
+void TestModuleException(Zone* zone, WasmModuleBuilder* builder) {
+  ZoneBuffer buffer(zone);
+  builder->WriteTo(buffer);
+
+  Isolate* isolate = CcTest::InitIsolateOnce();
+  HandleScope scope(isolate);
+  testing::SetupIsolateForWasmModule(isolate);
+  v8::TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
+  testing::CompileAndRunWasmModule(isolate, buffer.begin(), buffer.end(),
+                                   ModuleOrigin::kWasmOrigin);
+  CHECK(try_catch.HasCaught());
+  isolate->clear_pending_exception();
+}
+
 void ExportAs(WasmFunctionBuilder* f, const char* name) {
   f->SetExported();
   f->SetName(name, static_cast<int>(strlen(name)));
 }
 
 void ExportAsMain(WasmFunctionBuilder* f) {
   static const char kMainName[] = "main";
   ExportAs(f, kMainName);
 }
 
@@ skipping 213 matching lines @@
   v8::internal::AccountingAllocator allocator;
   Zone zone(&allocator);
   WasmModuleBuilder* builder = new (&zone) WasmModuleBuilder(&zone);
   WasmFunctionBuilder* f = builder->AddFunction(sigs.i_v());
   ExportAsMain(f);
   byte code[] = {WASM_IF_ELSE_I(WASM_I32V(0), WASM_GROW_MEMORY(WASM_I32V(1)),
                                 WASM_I32V(12))};
   f->EmitCode(code, sizeof(code));
   TestModule(&zone, builder, 12);
 }
+
+TEST(Run_WasmModule_GrowMemOobOffset) {
+  static const int kPageSize = 0x10000;
+  // Initial memory size = 16 + GrowMemory(10)
+  static const int index = kPageSize * 17 + 4;
+  int value = 0xaced;
+  TestSignatures sigs;
+  v8::internal::AccountingAllocator allocator;
+  Zone zone(&allocator);
+
+  WasmModuleBuilder* builder = new (&zone) WasmModuleBuilder(&zone);
+  WasmFunctionBuilder* f = builder->AddFunction(sigs.i_v());
+  ExportAsMain(f);
+  byte code[] = {
+      WASM_GROW_MEMORY(WASM_I8(1)),
+      WASM_STORE_MEM(MachineType::Int32(), WASM_I32V(index), WASM_I32V(value))};
+  f->EmitCode(code, sizeof(code));
+  TestModuleException(&zone, builder);
+}
+
+TEST(Run_WasmModule_GrowMemOobFixedIndex) {
+  static const int kPageSize = 0x10000;
+  // Initial memory size = 16 + GrowMemory(10)
+  static const int index = kPageSize * 26 + 4;
+  int value = 0xaced;
+  TestSignatures sigs;
+  Isolate* isolate = CcTest::InitIsolateOnce();
+  Zone zone(isolate->allocator());
+
+  WasmModuleBuilder* builder = new (&zone) WasmModuleBuilder(&zone);
+  WasmFunctionBuilder* f = builder->AddFunction(sigs.i_i());
+  ExportAsMain(f);
+  byte code[] = {
+      WASM_GROW_MEMORY(WASM_GET_LOCAL(0)), WASM_DROP,
+      WASM_STORE_MEM(MachineType::Int32(), WASM_I32V(index), WASM_I32V(value)),
+      WASM_LOAD_MEM(MachineType::Int32(), WASM_I32V(index))};
+  f->EmitCode(code, sizeof(code));
+
+  HandleScope scope(isolate);
+  ZoneBuffer buffer(&zone);
+  builder->WriteTo(buffer);
+  testing::SetupIsolateForWasmModule(isolate);
+
+  Handle<JSObject> instance = testing::CompileInstantiateWasmModuleForTesting(
+      isolate, &zone, buffer.begin(), buffer.end(), ModuleOrigin::kWasmOrigin);
+  CHECK(!instance.is_null());
+
+  // Initial memory size is 16 pages, should trap till index > MemSize on
+  // consecutive GrowMem calls
+  for (uint32_t i = 1; i < 5; i++) {
+    Handle<Object> params[1] = {Handle<Object>(Smi::FromInt(i), isolate)};
+    v8::TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
+    testing::RunWasmModuleForTesting(isolate, instance, 1, params,
+                                     ModuleOrigin::kWasmOrigin);
+    CHECK(try_catch.HasCaught());
+    isolate->clear_pending_exception();
+  }
+
+  Handle<Object> params[1] = {Handle<Object>(Smi::FromInt(1), isolate)};
+  int32_t result = testing::RunWasmModuleForTesting(
+      isolate, instance, 1, params, ModuleOrigin::kWasmOrigin);
+  CHECK(result == 0xaced);
+}
+
+TEST(Run_WasmModule_GrowMemOobVariableIndex) {
+  static const int kPageSize = 0x10000;
+  int value = 0xaced;
+  TestSignatures sigs;
+  Isolate* isolate = CcTest::InitIsolateOnce();
+  v8::internal::AccountingAllocator allocator;
+  Zone zone(&allocator);
+
+  WasmModuleBuilder* builder = new (&zone) WasmModuleBuilder(&zone);
+  WasmFunctionBuilder* f = builder->AddFunction(sigs.i_i());
+  ExportAsMain(f);
+  byte code[] = {
+      WASM_GROW_MEMORY(WASM_I8(1)), WASM_DROP,
+      WASM_STORE_MEM(MachineType::Int32(), WASM_GET_LOCAL(0), WASM_I32V(value)),
+      WASM_LOAD_MEM(MachineType::Int32(), WASM_GET_LOCAL(0))};
+  f->EmitCode(code, sizeof(code));
+
+  HandleScope scope(isolate);
+  ZoneBuffer buffer(&zone);
+  builder->WriteTo(buffer);
+  testing::SetupIsolateForWasmModule(isolate);
+
+  Handle<JSObject> instance = testing::CompileInstantiateWasmModuleForTesting(
+      isolate, &zone, buffer.begin(), buffer.end(), ModuleOrigin::kWasmOrigin);
+
+  CHECK(!instance.is_null());
+
+  // Initial memory size is 16 pages, should trap till index > MemSize on
+  // consecutive GrowMem calls
+  for (int i = 1; i < 5; i++) {
+    Handle<Object> params[1] = {
+        Handle<Object>(Smi::FromInt((16 + i) * kPageSize - 3), isolate)};
+    v8::TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
+    testing::RunWasmModuleForTesting(isolate, instance, 1, params,
+                                     ModuleOrigin::kWasmOrigin);
+    CHECK(try_catch.HasCaught());
+    isolate->clear_pending_exception();
+  }
+
+  for (int i = 1; i < 5; i++) {
+    Handle<Object> params[1] = {
+        Handle<Object>(Smi::FromInt((20 + i) * kPageSize - 4), isolate)};
+    int32_t result = testing::RunWasmModuleForTesting(
+        isolate, instance, 1, params, ModuleOrigin::kWasmOrigin);
+    CHECK(result == 0xaced);
+  }
+
+  v8::TryCatch try_catch(reinterpret_cast<v8::Isolate*>(isolate));
+  Handle<Object> params[1] = {
+      Handle<Object>(Smi::FromInt(25 * kPageSize), isolate)};
+  testing::RunWasmModuleForTesting(isolate, instance, 1, params,
+                                   ModuleOrigin::kWasmOrigin);
+  CHECK(try_catch.HasCaught());
+  isolate->clear_pending_exception();
+}