Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(203)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/compiler/wasm-compiler.cc

Issue 2416543002: [wasm] Fix bounds check for zero initial memory. (Closed)
Patch Set: Review comments Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | src/wasm/wasm-module.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/compiler/wasm-compiler.cc
diff --git a/src/compiler/wasm-compiler.cc b/src/compiler/wasm-compiler.cc
index 4392896c644b8796b013903a81c22a5804f71e5b..025f3ef37aedd480c157560ce1bea42d36657aa0 100644
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -2861,34 +2861,30 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
// Check against the effective size.
size_t effective_size;
bradn 2016/10/14 01:42:38 Move down to the initialization.
gdeepti 2016/10/14 01:57:10 As the check below is gated by if (size > offset +
- if (size == 0) {
- effective_size = 0;
- } else if (offset >= size ||
- (static_cast<uint64_t>(offset) + memsize) > size) {
+ if (size <= offset || size < (static_cast<uint64_t>(offset) + memsize)) {
// Two checks are needed in the case where the offset is statically
// out of bounds; one check for the offset being in bounds, and the next for
// the offset + index being out of bounds for code to be patched correctly
// on relocation.
- effective_size = size - memsize + 1;
+ size_t effective_offset = offset + memsize - 1;
Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(),
- jsgraph()->IntPtrConstant(offset),
+ jsgraph()->IntPtrConstant(effective_offset),
jsgraph()->RelocatableInt32Constant(
- static_cast<uint32_t>(effective_size),
+ static_cast<uint32_t>(size),
RelocInfo::WASM_MEMORY_SIZE_REFERENCE));
trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
- DCHECK(offset >= effective_size);
- effective_size = offset - effective_size;
- } else {
- effective_size = size - offset - memsize + 1;
- CHECK(effective_size <= kMaxUInt32);
-
- Uint32Matcher m(index);
- if (m.HasValue()) {
- uint32_t value = m.Value();
- if (value < effective_size) {
- // The bounds check will always succeed.
- return;
- }
+ }
+ // For offset > effective size, this relies on check above to fail when it
+ // wraps around.
+ effective_size = size - offset - memsize + 1;
+ CHECK(effective_size <= kMaxUInt32);
bradn 2016/10/14 01:42:38 This check won't work now (it could be negative).
gdeepti 2016/10/14 01:57:10 Done.
+
+ Uint32Matcher m(index);
+ if (m.HasValue()) {
+ uint32_t value = m.Value();
+ if (value < effective_size) {
+ // The bounds check will always succeed.
+ return;
}
}
« no previous file with comments | « no previous file | src/wasm/wasm-module.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698