| Index: src/compiler/wasm-compiler.cc
|
| diff --git a/src/compiler/wasm-compiler.cc b/src/compiler/wasm-compiler.cc
|
| index 4392896c644b8796b013903a81c22a5804f71e5b..484a0d9a5063c6b1baf876ea818fb9c9d998fd05 100644
|
| --- a/src/compiler/wasm-compiler.cc
|
| +++ b/src/compiler/wasm-compiler.cc
|
| @@ -2859,25 +2859,22 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
|
| uint32_t size = module_->instance->mem_size;
|
| byte memsize = wasm::WasmOpcodes::MemSize(memtype);
|
|
|
| - // Check against the effective size.
|
| size_t effective_size;
|
| - if (size == 0) {
|
| - effective_size = 0;
|
| - } else if (offset >= size ||
|
| - (static_cast<uint64_t>(offset) + memsize) > size) {
|
| + if (size <= offset || size < (static_cast<uint64_t>(offset) + memsize)) {
|
| // Two checks are needed in the case where the offset is statically
|
| // out of bounds; one check for the offset being in bounds, and the next for
|
| // the offset + index being out of bounds for code to be patched correctly
|
| // on relocation.
|
| - effective_size = size - memsize + 1;
|
| + size_t effective_offset = offset + memsize - 1;
|
| Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(),
|
| - jsgraph()->IntPtrConstant(offset),
|
| + jsgraph()->IntPtrConstant(effective_offset),
|
| jsgraph()->RelocatableInt32Constant(
|
| - static_cast<uint32_t>(effective_size),
|
| + static_cast<uint32_t>(size),
|
| RelocInfo::WASM_MEMORY_SIZE_REFERENCE));
|
| trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
|
| - DCHECK(offset >= effective_size);
|
| - effective_size = offset - effective_size;
|
| + // For offset > effective size, this relies on check above to fail and
|
| + // effective size can be negative, relies on wrap around.
|
| + effective_size = size - offset - memsize + 1;
|
| } else {
|
| effective_size = size - offset - memsize + 1;
|
| CHECK(effective_size <= kMaxUInt32);
|
|
|
Chromium Code Reviews
Issue 2416543002:
[wasm] Fix bounds check for zero initial memory. (Closed)
