[wasm] Fix decoding of shared global index space

src/wasm/module-decoder.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/wasm/module-decoder.h"
 
 #include "src/base/functional.h"
 #include "src/base/platform/platform.h"
 #include "src/flags.h"
 #include "src/macro-assembler.h"
@@ skipping 379 matching lines @@
         consume_resizable_limits("memory", "pages", WasmModule::kMaxLegalPages,
                                  &module->min_mem_pages,
                                  &module->max_mem_pages);
       }
       section_iter.advance();
     }
 
     // ===== Global section ==================================================
     if (section_iter.section_code() == kGlobalSectionCode) {
       uint32_t globals_count = consume_u32v("globals count");
-      module->globals.reserve(SafeReserve(globals_count));
+      uint32_t imported_globals = static_cast<uint32_t>(module->globals.size());
+      if (!IsWithinLimit(kMaxReserve, globals_count, imported_globals)) {

[Derek Schuff, 2016/10/12 05:35:19]

OK, so I was afraid this would be a problem; I was trying to worry about the sum
of the imported + defined globals overflowing some nebulous limit, but obviously
kMaxReserve is too small (it's causing the test failure). So, any suggestions?
INT_MAX? Just cast to int64 and do UINT_MAX? Something in between?

+        error(pos, pos, "too many imported+defined globals: %u + %u",
+              imported_globals, globals_count);
+      }
+      module->globals.reserve(SafeReserve(imported_globals + globals_count));
       for (uint32_t i = 0; ok() && i < globals_count; ++i) {
         TRACE("DecodeGlobal[%d] module+%d\n", i,
               static_cast<int>(pc_ - start_));
         // Add an uninitialized global and pass a pointer to it.
         module->globals.push_back(
             {kAstStmt, false, WasmInitExpr(), 0, false, false});
         WasmGlobal* global = &module->globals.back();
-        DecodeGlobalInModule(module, i, global);
+        DecodeGlobalInModule(module, i + imported_globals, global);
       }
       section_iter.advance();
     }
 
     // ===== Export section ==================================================
     if (section_iter.section_code() == kExportSectionCode) {
       uint32_t export_table_count = consume_u32v("export table count");
       module->export_table.reserve(SafeReserve(export_table_count));
       for (uint32_t i = 0; ok() && i < export_table_count; ++i) {
         TRACE("DecodeExportTable[%d] module+%d\n", i,
@@ skipping 191 matching lines @@
       PreinitializeIndirectFunctionTables(module);
     }
     const WasmModule* finished_module = module;
     ModuleResult result = toResult(finished_module);
     if (FLAG_dump_wasm_module) DumpModule(module, result);
     return result;
   }
 
   uint32_t SafeReserve(uint32_t count) {
     // Avoid OOM by only reserving up to a certain size.
-    const uint32_t kMaxReserve = 20000;
     return count < kMaxReserve ? count : kMaxReserve;
   }
 
   // Decodes a single anonymous function starting at {start_}.
   FunctionResult DecodeSingleFunction(ModuleEnv* module_env,
                                       WasmFunction* function) {
     pc_ = start_;
     function->sig = consume_sig();            // read signature
     function->name_offset = 0;                // ---- name
     function->name_length = 0;                // ---- name length
@@ skipping 18 matching lines @@
   WasmInitExpr DecodeInitExpr(const byte* start) {
     pc_ = start;
     return consume_init_expr(nullptr, kAstStmt);
   }
 
  private:
   Zone* module_zone;
   ModuleResult result_;
   ModuleOrigin origin_;
 
+  static const uint32_t kMaxReserve = 20000;
+
   uint32_t off(const byte* ptr) { return static_cast<uint32_t>(ptr - start_); }
 
   // Decodes a single global entry inside a module starting at {pc_}.
   void DecodeGlobalInModule(WasmModule* module, uint32_t index,
                             WasmGlobal* global) {
     global->type = consume_value_type();
     global->mutability = consume_u8("mutability") != 0;
     const byte* pos = pc();
     global->init = consume_init_expr(module, kAstStmt);
     switch (global->init.kind) {
       case WasmInitExpr::kGlobalIndex: {
         uint32_t other_index = global->init.val.global_index;
         if (other_index >= index) {
-          error("invalid global index in init expression");
+          error(pos, pos,
+                "invalid global index in init expression, "
+                "index %u, other_index %u",
+                index, other_index);
         } else if (module->globals[other_index].type != global->type) {
           error(pos, pos,
                 "type mismatch in global initialization "
                 "(from global #%u), expected %s, got %s",
                 other_index, WasmOpcodes::TypeName(global->type),
                 WasmOpcodes::TypeName(module->globals[other_index].type));
         }
         break;
       }
       default:
@@ skipping 455 matching lines @@
     decoder.consume_bytes(size);
   }
   if (decoder.more()) decoder.error("unexpected additional bytes");
 
   return decoder.toResult(std::move(table));
 }
 
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8