Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(895)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/wasm/wasm-module.cc

Issue 2416543002: [wasm] Fix bounds check for zero initial memory. (Closed)
Patch Set: Add aTODO Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« src/compiler/wasm-compiler.cc ('K') | « src/wasm/wasm-module.h ('k') | src/x64/assembler-x64.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/wasm/wasm-module.cc
diff --git a/src/wasm/wasm-module.cc b/src/wasm/wasm-module.cc
index 04f58c2c4f5f8c73f72875cadf1eac932058c2ba..aef67d22d2aec1cd803b5a19c69c48a46b519766 100644
--- a/src/wasm/wasm-module.cc
+++ b/src/wasm/wasm-module.cc
@@ -186,7 +186,7 @@ Handle<JSArrayBuffer> NewArrayBuffer(Isolate* isolate, size_t size) {
}
void RelocateInstanceCode(Handle<JSObject> instance, Address old_start,
- Address start, uint32_t prev_size,
+ Address new_start, uint32_t old_size,
uint32_t new_size) {
Handle<FixedArray> functions = Handle<FixedArray>(
FixedArray::cast(instance->GetInternalField(kWasmModuleCodeTable)));
@@ -194,10 +194,30 @@ void RelocateInstanceCode(Handle<JSObject> instance, Address old_start,
Handle<Code> function = Handle<Code>(Code::cast(functions->get(i)));
AllowDeferredHandleDereference embedding_raw_address;
int mask = (1 << RelocInfo::WASM_MEMORY_REFERENCE) |
- (1 << RelocInfo::WASM_MEMORY_SIZE_REFERENCE);
+ (1 << RelocInfo::WASM_MEMORY_SIZE_REFERENCE) |
+ (1 << RelocInfo::WASM_MEMTYPE_SIZE_REFERENCE);
+ byte memtype_size;
for (RelocIterator it(*function, mask); !it.done(); it.next()) {
- it.rinfo()->update_wasm_memory_reference(old_start, start, prev_size,
- new_size);
+ RelocInfo::Mode mode = it.rinfo()->rmode();
+ if (RelocInfo::IsWasmMemtypeSizeReference(mode)) {
+ DCHECK(old_size == 0);
+ memtype_size = it.rinfo()->wasm_memtype_size_reference();
+ } else if (RelocInfo::IsWasmMemoryReference(mode) ||
+ (RelocInfo::IsWasmMemorySizeReference(mode) && old_size)) {
+ it.rinfo()->update_wasm_memory_reference(old_start, new_start, old_size,
+ new_size);
+ } else if (RelocInfo::IsWasmMemorySizeReference(mode)) {
+ // memtype_size is only populated when old_size = 0, stashed value
+ // should only be used when growing from 0 memory to calculate that last
+ // legal address and cleared after.
+ if (old_size == 0 && memtype_size != 0) {
+ it.rinfo()->update_wasm_memory_reference(
+ old_start, new_start, old_size, (new_size - memtype_size + 1));
+ memtype_size = 0;
+ }
+ } else {
+ UNREACHABLE();
+ }
}
}
}
@@ -626,6 +646,7 @@ static void ResetCompiledModule(Isolate* isolate, JSObject* owner,
}
int mode_mask = RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_REFERENCE) |
RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_SIZE_REFERENCE) |
+ RelocInfo::ModeMask(RelocInfo::WASM_MEMTYPE_SIZE_REFERENCE) |
RelocInfo::ModeMask(RelocInfo::WASM_GLOBAL_REFERENCE);
Object* fct_obj = compiled_module->ptr_to_code_table();
@@ -2047,38 +2068,6 @@ Handle<WasmDebugInfo> wasm::GetDebugInfo(Handle<JSObject> wasm) {
return new_info;
}
-bool wasm::UpdateWasmModuleMemory(Handle<JSObject> object, Address old_start,
- Address new_start, uint32_t old_size,
- uint32_t new_size) {
- DisallowHeapAllocation no_allocation;
- if (!IsWasmObject(*object)) {
- return false;
- }
-
- // Get code table associated with the module js_object
- Object* obj = object->GetInternalField(kWasmModuleCodeTable);
- Handle<FixedArray> code_table(FixedArray::cast(obj));
-
- // Iterate through the code objects in the code table and update relocation
- // information
- for (int i = 0; i < code_table->length(); ++i) {
- obj = code_table->get(i);
- Handle<Code> code(Code::cast(obj));
-
- int mode_mask = RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_REFERENCE) |
- RelocInfo::ModeMask(RelocInfo::WASM_MEMORY_SIZE_REFERENCE);
- for (RelocIterator it(*code, mode_mask); !it.done(); it.next()) {
- RelocInfo::Mode mode = it.rinfo()->rmode();
- if (RelocInfo::IsWasmMemoryReference(mode) ||
- RelocInfo::IsWasmMemorySizeReference(mode)) {
- it.rinfo()->update_wasm_memory_reference(old_start, new_start, old_size,
- new_size);
- }
- }
- }
- return true;
-}
-
Handle<FixedArray> wasm::BuildFunctionTable(Isolate* isolate, uint32_t index,
const WasmModule* module) {
const WasmIndirectFunctionTable* table = &module->function_tables[index];
@@ -2234,9 +2223,8 @@ int32_t wasm::GetInstanceMemorySize(Isolate* isolate,
int32_t wasm::GrowInstanceMemory(Isolate* isolate, Handle<JSObject> instance,
uint32_t pages) {
- if (pages == 0) {
- return GetInstanceMemorySize(isolate, instance);
- }
+ if (!IsWasmObject(*instance)) return -1;
+ if (pages == 0) return GetInstanceMemorySize(isolate, instance);
Address old_mem_start = nullptr;
uint32_t old_size = 0, new_size = 0;
@@ -2273,10 +2261,8 @@ int32_t wasm::GrowInstanceMemory(Isolate* isolate, Handle<JSObject> instance,
memcpy(new_mem_start, old_mem_start, old_size);
}
SetInstanceMemory(instance, *buffer);
- if (!UpdateWasmModuleMemory(instance, old_mem_start, new_mem_start, old_size,
- new_size)) {
- return -1;
- }
+ RelocateInstanceCode(instance, old_mem_start, new_mem_start, old_size,
+ new_size);
DCHECK(old_size % WasmModule::kPageSize == 0);
return (old_size / WasmModule::kPageSize);
}
« src/compiler/wasm-compiler.cc ('K') | « src/wasm/wasm-module.h ('k') | src/x64/assembler-x64.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698