[wasm] Fix bounds check for zero initial memory.

src/compiler/wasm-compiler.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/wasm-compiler.h"
 
 #include <memory>
 
 #include "src/isolate-inl.h"
 
@@ skipping 2838 matching lines @@
   Node* node = graph()->NewNode(op, addr, jsgraph()->Int32Constant(0), val,
                                 *effect_, *control_);
   *effect_ = node;
   return node;
 }
 
 void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
                                       uint32_t offset,
                                       wasm::WasmCodePosition position) {
   DCHECK(module_ && module_->instance);
-  uint32_t size = module_->instance->mem_size;
+  uint32_t size = module_->module->min_mem_pages * module_->module->kPageSize;
   byte memsize = wasm::WasmOpcodes::MemSize(memtype);
 
   // Check against the effective size.
   size_t effective_size;
-  if (size == 0) {
-    effective_size = 0;
-  } else if (offset >= size ||
-             (static_cast<uint64_t>(offset) + memsize) > size) {
+  if (size == 0 || offset >= size ||

[bradn, 2016/10/14 01:17:07]

Drop size==0, always true if the next clause is.
Maybe put the size on the right in both cases?

[gdeepti, 2016/10/14 01:28:44]

Done.

+      (static_cast<uint64_t>(offset) + memsize) > size) {
     // Two checks are needed in the case where the offset is statically
     // out of bounds; one check for the offset being in bounds, and the next for
     // the offset + index being out of bounds for code to be patched correctly
     // on relocation.
-    effective_size = size - memsize + 1;
+    size_t effective_offset = offset + memsize - 1;
     Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(),
-                                  jsgraph()->IntPtrConstant(offset),
+                                  jsgraph()->IntPtrConstant(effective_offset),
                                   jsgraph()->RelocatableInt32Constant(
-                                      static_cast<uint32_t>(effective_size),
+                                      static_cast<uint32_t>(size),
                                       RelocInfo::WASM_MEMORY_SIZE_REFERENCE));
     trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
-    DCHECK(offset >= effective_size);
-    effective_size = offset - effective_size;
-  } else {
-    effective_size = size - offset - memsize + 1;
-    CHECK(effective_size <= kMaxUInt32);
+  }
+  effective_size = size - offset - memsize + 1;

[bradn, 2016/10/14 01:17:07]

Maybe comment that this relies on the above check when it wraps around.

[gdeepti, 2016/10/14 01:28:44]

Done.

+  CHECK(effective_size <= kMaxUInt32);
 
-    Uint32Matcher m(index);
-    if (m.HasValue()) {
-      uint32_t value = m.Value();
-      if (value < effective_size) {
-        // The bounds check will always succeed.
-        return;
-      }
+  Uint32Matcher m(index);
+  if (m.HasValue()) {
+    uint32_t value = m.Value();
+    if (value < effective_size) {
+      // The bounds check will always succeed.
+      return;
     }
   }
 
   Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), index,
                                 jsgraph()->RelocatableInt32Constant(
                                     static_cast<uint32_t>(effective_size),
                                     RelocInfo::WASM_MEMORY_SIZE_REFERENCE));
   trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
 }
 
@@ skipping 514 matching lines @@
                             function_->code_start_offset),
            compile_ms);
   }
 
   return code;
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8