[wasm] Fix bounds check for zero initial memory.

src/wasm/wasm-module.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 
 #include "src/base/atomic-utils.h"
 #include "src/code-stubs.h"
 
 #include "src/macro-assembler.h"
@@ skipping 168 matching lines @@
   }
 #endif
 
   Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
   JSArrayBuffer::Setup(buffer, isolate, false, memory, static_cast<int>(size));
   buffer->set_is_neuterable(false);
   return buffer;
 }
 
 void RelocateInstanceCode(Handle<JSObject> instance, Address old_start,
-                          Address start, uint32_t prev_size,
+                          Address new_start, uint32_t old_size,
                           uint32_t new_size) {
   Handle<FixedArray> functions = Handle<FixedArray>(
       FixedArray::cast(instance->GetInternalField(kWasmModuleCodeTable)));
   for (int i = 0; i < functions->length(); ++i) {
     Handle<Code> function = Handle<Code>(Code::cast(functions->get(i)));
     AllowDeferredHandleDereference embedding_raw_address;
     int mask = (1 << RelocInfo::WASM_MEMORY_REFERENCE) |
-               (1 << RelocInfo::WASM_MEMORY_SIZE_REFERENCE);
+               (1 << RelocInfo::WASM_MEMORY_SIZE_REFERENCE) |
+               (1 << RelocInfo::WASM_MEMTYPE_SIZE_REFERENCE);
+    byte memtype_size;
     for (RelocIterator it(*function, mask); !it.done(); it.next()) {
-      it.rinfo()->update_wasm_memory_reference(old_start, start, prev_size,
-                                               new_size);
+      RelocInfo::Mode mode = it.rinfo()->rmode();
+      if (RelocInfo::IsWasmMemtypeSizeReference(mode)) {
+        DCHECK(old_size == 0);
+        memtype_size = it.rinfo()->wasm_memtype_size_reference();
+      } else if (RelocInfo::IsWasmMemoryReference(mode) ||
+                 (RelocInfo::IsWasmMemorySizeReference(mode) && old_size)) {
+        it.rinfo()->update_wasm_memory_reference(old_start, new_start, old_size,
+                                                 new_size);
+      } else if (RelocInfo::IsWasmMemorySizeReference(mode)) {
+        // memtype_size is only populated when old_size = 0, stashed value
+        // should only be used when growing from 0 memory to calculate that last
+        // legal address and cleared after.
+        if (old_size == 0 && memtype_size != 0) {
+          it.rinfo()->update_wasm_memory_reference(
+              old_start, new_start, old_size, (new_size - memtype_size + 1));
+          memtype_size = 0;
+        }
+      } else {
+        UNREACHABLE();
+      }
     }
   }
 }
 
 void RelocateGlobals(Handle<JSObject> instance, Address old_start,
                      Address globals_start) {
   Handle<FixedArray> functions = Handle<FixedArray>(
       FixedArray::cast(instance->GetInternalField(kWasmModuleCodeTable)));
   uint32_t function_count = static_cast<uint32_t>(functions->length());
   for (uint32_t i = 0; i < function_count; ++i) {
@@ skipping 408 matching lines @@
   Address globals_start =
       GetGlobalStartAddressFromCodeTemplate(undefined, owner);
 
   if (old_mem_size > 0) {
     CHECK_NE(mem_start, undefined);
     old_mem_address =
         static_cast<Address>(JSArrayBuffer::cast(mem_start)->backing_store());
   }
   int mode_mask = RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_REFERENCE) |
                   RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_SIZE_REFERENCE) |
+                  RelocInfo::ModeMask(RelocInfo::WASM_MEMTYPE_SIZE_REFERENCE) |
                   RelocInfo::ModeMask(RelocInfo::WASM_GLOBAL_REFERENCE);
 
   Object* fct_obj = compiled_module->ptr_to_code_table();
   if (fct_obj != nullptr && fct_obj != undefined &&
       (old_mem_size > 0 || globals_start != nullptr)) {
     FixedArray* functions = FixedArray::cast(fct_obj);
     for (int i = 0; i < functions->length(); ++i) {
       Code* code = Code::cast(functions->get(i));
       bool changed = false;
       for (RelocIterator it(code, mode_mask); !it.done(); it.next()) {
@@ skipping 1401 matching lines @@
 Handle<WasmDebugInfo> wasm::GetDebugInfo(Handle<JSObject> wasm) {
   Handle<Object> info(wasm->GetInternalField(kWasmDebugInfo),
                       wasm->GetIsolate());
   if (!info->IsUndefined(wasm->GetIsolate()))
     return Handle<WasmDebugInfo>::cast(info);
   Handle<WasmDebugInfo> new_info = WasmDebugInfo::New(wasm);
   wasm->SetInternalField(kWasmDebugInfo, *new_info);
   return new_info;
 }
 
-bool wasm::UpdateWasmModuleMemory(Handle<JSObject> object, Address old_start,
-                                  Address new_start, uint32_t old_size,
-                                  uint32_t new_size) {
-  DisallowHeapAllocation no_allocation;
-  if (!IsWasmObject(*object)) {
-    return false;
-  }
-
-  // Get code table associated with the module js_object
-  Object* obj = object->GetInternalField(kWasmModuleCodeTable);
-  Handle<FixedArray> code_table(FixedArray::cast(obj));
-
-  // Iterate through the code objects in the code table and update relocation
-  // information
-  for (int i = 0; i < code_table->length(); ++i) {
-    obj = code_table->get(i);
-    Handle<Code> code(Code::cast(obj));
-
-    int mode_mask = RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_REFERENCE) |
-                    RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_SIZE_REFERENCE);
-    for (RelocIterator it(*code, mode_mask); !it.done(); it.next()) {
-      RelocInfo::Mode mode = it.rinfo()->rmode();
-      if (RelocInfo::IsWasmMemoryReference(mode) ||
-          RelocInfo::IsWasmMemorySizeReference(mode)) {
-        it.rinfo()->update_wasm_memory_reference(old_start, new_start, old_size,
-                                                 new_size);
-      }
-    }
-  }
-  return true;
-}
-
 Handle<FixedArray> wasm::BuildFunctionTable(Isolate* isolate, uint32_t index,
                                             const WasmModule* module) {
   const WasmIndirectFunctionTable* table = &module->function_tables[index];
   DCHECK_EQ(table->size, table->values.size());
   DCHECK_GE(table->max_size, table->size);
   Handle<FixedArray> values =
       isolate->factory()->NewFixedArray(2 * table->max_size, TENURED);
   for (uint32_t i = 0; i < table->size; ++i) {
     const WasmFunction* function = &module->functions[table->values[i]];
     int32_t index = table->map.Find(function->sig);
@@ skipping 135 matching lines @@
   Handle<JSArrayBuffer> buffer;
   if (!maybe_mem_buffer.ToHandle(&buffer)) {
     return 0;
   } else {
     return buffer->byte_length()->Number() / WasmModule::kPageSize;
   }
 }
 
 int32_t wasm::GrowInstanceMemory(Isolate* isolate, Handle<JSObject> instance,
                                  uint32_t pages) {
-  if (pages == 0) {
-    return GetInstanceMemorySize(isolate, instance);
-  }
+  if (!IsWasmObject(*instance)) return -1;
+  if (pages == 0) return GetInstanceMemorySize(isolate, instance);
   Address old_mem_start = nullptr;
   uint32_t old_size = 0, new_size = 0;
 
   MaybeHandle<JSArrayBuffer> maybe_mem_buffer =
       GetInstanceMemory(isolate, instance);
   Handle<JSArrayBuffer> old_buffer;
   if (!maybe_mem_buffer.ToHandle(&old_buffer)) {
     // If module object does not have linear memory associated with it,
     // Allocate new array buffer of given size.
     // TODO(gdeepti): Fix bounds check to take into account size of memtype.
@@ skipping 16 matching lines @@
       WasmModule::kMaxMemPages * WasmModule::kPageSize <= new_size) {
     return -1;
   }
   Handle<JSArrayBuffer> buffer = NewArrayBuffer(isolate, new_size);
   if (buffer.is_null()) return -1;
   Address new_mem_start = static_cast<Address>(buffer->backing_store());
   if (old_size != 0) {
     memcpy(new_mem_start, old_mem_start, old_size);
   }
   SetInstanceMemory(instance, *buffer);
-  if (!UpdateWasmModuleMemory(instance, old_mem_start, new_mem_start, old_size,
-                              new_size)) {
-    return -1;
-  }
+  RelocateInstanceCode(instance, old_mem_start, new_mem_start, old_size,
+                       new_size);
   DCHECK(old_size % WasmModule::kPageSize == 0);
   return (old_size / WasmModule::kPageSize);
 }
 
 void testing::ValidateInstancesChain(Isolate* isolate,
                                      Handle<JSObject> module_obj,
                                      int instance_count) {
   CHECK_GE(instance_count, 0);
   DisallowHeapAllocation no_gc;
   WasmCompiledModule* compiled_module =
@@ skipping 33 matching lines @@
 }
 
 void testing::ValidateOrphanedInstance(Isolate* isolate,
                                        Handle<JSObject> instance) {
   DisallowHeapAllocation no_gc;
   CHECK(IsWasmObject(*instance));
   WasmCompiledModule* compiled_module = GetCompiledModule(*instance);
   CHECK(compiled_module->has_weak_module_object());
   CHECK(compiled_module->ptr_to_weak_module_object()->cleared());
 }