| OLD | NEW |
|---|
| 1 // Copyright 2015 the V8 project authors. All rights reserved. | 1 // Copyright 2015 the V8 project authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "src/compiler/wasm-compiler.h" | 5 #include "src/compiler/wasm-compiler.h" |
| 6 | 6 |
| 7 #include <memory> | 7 #include <memory> |
| 8 | 8 |
| 9 #include "src/isolate-inl.h" | 9 #include "src/isolate-inl.h" |
| 10 | 10 |
| (...skipping 2894 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2905 DCHECK(module_ && module_->instance); | 2905 DCHECK(module_ && module_->instance); |
| 2906 uint32_t size = module_->instance->mem_size; | 2906 uint32_t size = module_->instance->mem_size; |
| 2907 byte memsize = wasm::WasmOpcodes::MemSize(memtype); | 2907 byte memsize = wasm::WasmOpcodes::MemSize(memtype); |
| 2908 | 2908 |
| 2909 size_t effective_size; | 2909 size_t effective_size; |
| 2910 if (size <= offset || size < (static_cast<uint64_t>(offset) + memsize)) { | 2910 if (size <= offset || size < (static_cast<uint64_t>(offset) + memsize)) { |
| 2911 // Two checks are needed in the case where the offset is statically | 2911 // Two checks are needed in the case where the offset is statically |
| 2912 // out of bounds; one check for the offset being in bounds, and the next for | 2912 // out of bounds; one check for the offset being in bounds, and the next for |
| 2913 // the offset + index being out of bounds for code to be patched correctly | 2913 // the offset + index being out of bounds for code to be patched correctly |
| 2914 // on relocation. | 2914 // on relocation. |
| 2915 size_t effective_offset = offset + memsize - 1; | 2915 |
| 2916 // Check for overflows. |
| 2917 if ((std::numeric_limits<uint32_t>::max() - memsize) + 1 < offset) { |
| 2918 // Always trap. Do not use TrapAlways because it does not create a valid |
| 2919 // graph here. |
| 2920 trap_->TrapIfEq32(wasm::kTrapMemOutOfBounds, jsgraph()->Int32Constant(0), |
| 2921 0, position); |
| 2922 return; |
| 2923 } |
| 2924 size_t effective_offset = (offset - 1) + memsize; |
| 2925 |
| 2916 Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), | 2926 Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), |
| 2917 jsgraph()->IntPtrConstant(effective_offset), | 2927 jsgraph()->IntPtrConstant(effective_offset), |
| 2918 jsgraph()->RelocatableInt32Constant( | 2928 jsgraph()->RelocatableInt32Constant( |
| 2919 static_cast<uint32_t>(size), | 2929 static_cast<uint32_t>(size), |
| 2920 RelocInfo::WASM_MEMORY_SIZE_REFERENCE)); | 2930 RelocInfo::WASM_MEMORY_SIZE_REFERENCE)); |
| 2921 trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position); | 2931 trap_->AddTrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position); |
| 2922 // For offset > effective size, this relies on check above to fail and | 2932 // For offset > effective size, this relies on check above to fail and |
| 2923 // effective size can be negative, relies on wrap around. | 2933 // effective size can be negative, relies on wrap around. |
| 2924 effective_size = size - offset - memsize + 1; | 2934 effective_size = size - offset - memsize + 1; |
| 2925 } else { | 2935 } else { |
| (...skipping 559 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 3485 function_->code_start_offset), | 3495 function_->code_start_offset), |
| 3486 compile_ms); | 3496 compile_ms); |
| 3487 } | 3497 } |
| 3488 | 3498 |
| 3489 return code; | 3499 return code; |
| 3490 } | 3500 } |
| 3491 | 3501 |
| 3492 } // namespace compiler | 3502 } // namespace compiler |
| 3493 } // namespace internal | 3503 } // namespace internal |
| 3494 } // namespace v8 | 3504 } // namespace v8 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2490533003:
[wasm] Always trap for memory accesses with offset=uint32_max. (Closed)
