src/compiler/wasm-compiler.cc - Issue 2373613004: [wasm] Fix bounds check of a store instruction after a grow_memory instruction

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/compiler/wasm-compiler.cc

Issue 2373613004: [wasm] Fix bounds check of a store instruction after a grow_memory instruction (Closed)

Patch Set: Ben's review Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/compiler/wasm-compiler.cc

diff --git a/src/compiler/wasm-compiler.cc b/src/compiler/wasm-compiler.cc

index b1eb3e6acdacb005304b2e374706e1a492536327..7837a64c9012562ece864f6e8810a07af6386e30 100644

--- a/src/compiler/wasm-compiler.cc

+++ b/src/compiler/wasm-compiler.cc

@@ -2770,19 +2770,34 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,

// Check against the effective size.

size_t effective_size;

- if (offset >= size || (static_cast<uint64_t>(offset) + memsize) > size) {

+ if (size == 0) {

effective_size = 0;

+ } else if (offset >= size ||

+ (static_cast<uint64_t>(offset) + memsize) > size) {

+ // Two checks are needed in the case where the offset is statically

+ // out of bounds; one check for the offset being in bounds, and the next for

+ // the offset + index being out of bounds for code to be patched correctly

+ // on relocation.

+ effective_size = size - memsize + 1;

+ Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(),

+ jsgraph()->IntPtrConstant(offset),

+ jsgraph()->RelocatableInt32Constant(

+ static_cast<uint32_t>(effective_size),

+ RelocInfo::WASM_MEMORY_SIZE_REFERENCE));

+ trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);

+ DCHECK(offset >= effective_size);

+ effective_size = offset - effective_size;

} else {

effective_size = size - offset - memsize + 1;

- }

- CHECK(effective_size <= kMaxUInt32);

- Uint32Matcher m(index);

- if (m.HasValue()) {

- uint32_t value = m.Value();

- if (value < effective_size) {

- // The bounds check will always succeed.

- return;

+ CHECK(effective_size <= kMaxUInt32);

+ Uint32Matcher m(index);

+ if (m.HasValue()) {

+ uint32_t value = m.Value();

+ if (value < effective_size) {

+ // The bounds check will always succeed.

+ return;

+ }

}

« no previous file with comments | « no previous file | test/cctest/wasm/test-run-wasm-module.cc » ('j') | no next file with comments »