Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2649553002:
[wasm] Check segment bounds beforehand (Closed)
Description[wasm] Check segment bounds beforehand
Also fixes check for table segments to be performed against actual size not declared one.
Makes us pass memory.wast and linking.wast tests (modulo issue 5860).
R=titzer@chromium.org
BUG=
Review-Url: https://codereview.chromium.org/2649553002
Cr-Commit-Position: refs/heads/master@{#42607}
Committed: https://chromium.googlesource.com/v8/v8/+/fc44a1d9cab4b4bff1a817928fe7b6e98ef8be5e
Patch Set 1 #
Total comments: 9
Patch Set 2 : Comments #Patch Set 3 : Check against actual not declared table bound #Patch Set 4 : Explicit cast to make compiler happy #Patch Set 5 : YA explicit cast #Patch Set 6 : Explicit cast fest pt 3 #Patch Set 7 : Fix error message #Patch Set 8 : Rebase #
Messages
Total messages: 44 (24 generated)
https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc File src/wasm/wasm-module.cc (right): https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1303: uint32_t table_size = table.min_size; Does the spec say we should check against the imported table size or the minimum specified in the table import? My guess is the former. https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1344: if (!LoadDataSegments(nullptr, 0)) return nothing; Shouldn't need to do anything in this case now. https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1584: bool LoadDataSegments(Address mem_addr, size_t mem_size) { Don't need to return anything anymore. https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1592: if (dest_offset + source_size > mem_size || These should be DCHECKS now I guess. Can we factor out a range check method too?
https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc File src/wasm/wasm-module.cc (right): https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1303: uint32_t table_size = table.min_size; On 2017/01/20 14:28:34, titzer wrote: > Does the spec say we should check against the imported table size or the minimum > specified in the table import? My guess is the former. Spec interpreter currently says actual size -- which makes sense, I think, because the actual address might be an imported global, and the imported memory size statically unknown and thus conservatively annotated as 1 (or even 0). https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1344: if (!LoadDataSegments(nullptr, 0)) return nothing; On 2017/01/20 14:28:34, titzer wrote: > Shouldn't need to do anything in this case now. Done. https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1584: bool LoadDataSegments(Address mem_addr, size_t mem_size) { On 2017/01/20 14:28:34, titzer wrote: > Don't need to return anything anymore. Done. https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1592: if (dest_offset + source_size > mem_size || On 2017/01/20 14:28:34, titzer wrote: > These should be DCHECKS now I guess. > > Can we factor out a range check method too? Done.
https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc File src/wasm/wasm-module.cc (right): https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... src/wasm/wasm-module.cc:1303: uint32_t table_size = table.min_size; On 2017/01/20 14:57:35, rossberg wrote: > On 2017/01/20 14:28:34, titzer wrote: > > Does the spec say we should check against the imported table size or the > minimum > > specified in the table import? My guess is the former. > > Spec interpreter currently says actual size -- which makes sense, I think, > because the actual address might be an imported global, and the imported memory > size statically unknown and thus conservatively annotated as 1 (or even 0). Ok, because this code checks against the size in the import declaration. You need to look into the table_instances_ array, which stores the actual table object that was imported.
Description was changed from ========== [wasm] Check segment bounds beforehand Makes us pass memory.wast and linking.wast tests (modulo issue 5860). R=titzer@chromium.org BUG= ========== to ========== [wasm] Check segment bounds beforehand Also fixes check for table segments to be performed against actual size not declared one. Makes us pass memory.wast and linking.wast tests (modulo issue 5860). R=titzer@chromium.org BUG= ==========
On 2017/01/20 15:03:21, titzer wrote: > https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc > File src/wasm/wasm-module.cc (right): > > https://codereview.chromium.org/2649553002/diff/1/src/wasm/wasm-module.cc#new... > src/wasm/wasm-module.cc:1303: uint32_t table_size = table.min_size; > On 2017/01/20 14:57:35, rossberg wrote: > > On 2017/01/20 14:28:34, titzer wrote: > > > Does the spec say we should check against the imported table size or the > > minimum > > > specified in the table import? My guess is the former. > > > > Spec interpreter currently says actual size -- which makes sense, I think, > > because the actual address might be an imported global, and the imported > memory > > size statically unknown and thus conservatively annotated as 1 (or even 0). > > Ok, because this code checks against the size in the import declaration. You > need to look into the table_instances_ array, which stores the actual table > object that was imported. Done. The check actually was wrong before. Had to split up InitializeTables to make this work. With this patch we pass the additional spec tests in https://github.com/WebAssembly/spec/pull/408
lgtm
The CQ bit was checked by rossberg@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by rossberg@chromium.org
The CQ bit was checked by rossberg@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: v8_win64_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win64_rel_ng/builds/21332) v8_win_nosnap_shared_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win_nosnap_shared_rel_ng...) v8_win_rel_ng on master.tryserver.v8 (JOB_FAILED, no build URL)
The CQ bit was checked by rossberg@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: v8_win64_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win64_rel_ng/builds/21333) v8_win_compile_dbg on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win_compile_dbg/builds/3...) v8_win_nosnap_shared_rel_ng on master.tryserver.v8 (JOB_FAILED, no build URL) v8_win_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win_rel_ng/builds/21417)
The CQ bit was checked by rossberg@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from titzer@chromium.org Link to the patchset: https://codereview.chromium.org/2649553002/#ps60001 (title: "Explicit cast to make compiler happy")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: v8_win64_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win64_rel_ng/builds/21334) v8_win_compile_dbg on master.tryserver.v8 (JOB_FAILED, no build URL) v8_win_nosnap_shared_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win_nosnap_shared_rel_ng...) v8_win_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win_rel_ng/builds/21418)
The CQ bit was checked by rossberg@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from titzer@chromium.org Link to the patchset: https://codereview.chromium.org/2649553002/#ps80001 (title: "YA explicit cast")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: v8_win64_rel_ng on master.tryserver.v8 (JOB_FAILED, no build URL) v8_win_compile_dbg on master.tryserver.v8 (JOB_FAILED, no build URL) v8_win_nosnap_shared_rel_ng on master.tryserver.v8 (JOB_FAILED, no build URL) v8_win_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win_rel_ng/builds/21420)
The CQ bit was checked by rossberg@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from titzer@chromium.org Link to the patchset: https://codereview.chromium.org/2649553002/#ps100001 (title: "Explicit cast fest pt 3")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: v8_win64_rel_ng on master.tryserver.v8 (JOB_FAILED, http://build.chromium.org/p/tryserver.v8/builders/v8_win64_rel_ng/builds/21337) v8_win_nosnap_shared_rel_ng on master.tryserver.v8 (JOB_FAILED, no build URL) v8_win_rel_ng on master.tryserver.v8 (JOB_FAILED, no build URL)
The CQ bit was checked by rossberg@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from titzer@chromium.org Link to the patchset: https://codereview.chromium.org/2649553002/#ps120001 (title: "Fix error message")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Failed to apply patch for src/wasm/wasm-js.cc:
While running git apply --index -p1;
error: patch failed: src/wasm/wasm-js.cc:323
error: src/wasm/wasm-js.cc: patch does not apply
Patch: src/wasm/wasm-js.cc
Index: src/wasm/wasm-js.cc
diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
index
ee8e87de07788cb06463d9ab3c842d00d9e24b99..bba8be77f2381b4af72b958b90923a20a5e1ddf0
100644
--- a/src/wasm/wasm-js.cc
+++ b/src/wasm/wasm-js.cc
@@ -323,7 +323,7 @@ void WebAssemblyInstantiate(const
v8::FunctionCallbackInfo<v8::Value>& args) {
i::Isolate* i_isolate = reinterpret_cast<i::Isolate*>(isolate);
HandleScope scope(isolate);
- ErrorThrower thrower(i_isolate, "WebAssembly.compile()");
+ ErrorThrower thrower(i_isolate, "WebAssembly.instantiate()");
Local<Context> context = isolate->GetCurrentContext();
v8::Local<v8::Promise::Resolver> resolver;
The CQ bit was checked by rossberg@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from titzer@chromium.org Link to the patchset: https://codereview.chromium.org/2649553002/#ps140001 (title: "Rebase")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 140001, "attempt_start_ts": 1485190242904480,
"parent_rev": "6d1894e4f4a63a165b5bfcae414bd7137e01f8d9", "commit_rev":
"fc44a1d9cab4b4bff1a817928fe7b6e98ef8be5e"}
Message was sent while issue was closed.
Description was changed from ========== [wasm] Check segment bounds beforehand Also fixes check for table segments to be performed against actual size not declared one. Makes us pass memory.wast and linking.wast tests (modulo issue 5860). R=titzer@chromium.org BUG= ========== to ========== [wasm] Check segment bounds beforehand Also fixes check for table segments to be performed against actual size not declared one. Makes us pass memory.wast and linking.wast tests (modulo issue 5860). R=titzer@chromium.org BUG= Review-Url: https://codereview.chromium.org/2649553002 Cr-Commit-Position: refs/heads/master@{#42607} Committed: https://chromium.googlesource.com/v8/v8/+/fc44a1d9cab4b4bff1a817928fe7b6e98ef... ==========
Message was sent while issue was closed.
Committed patchset #8 (id:140001) as https://chromium.googlesource.com/v8/v8/+/fc44a1d9cab4b4bff1a817928fe7b6e98ef... |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
