[wasm] Disable asan for memory_fill_wrapper

See the similar fix for memory_copy_wrapper here: https://chromium-review.googlesource.com/c/v8/v8/+/1584326 Bug: chromium:957405 Change-Id: I49e321186e40fd874f10d08e0e5a53aa225cfa19 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1590386 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Ben Smith <binji@chromium.org> Cr-Commit-Position: refs/heads/master@{#61223}
2019-04-30 12:11:40 -07:00 · 2019-04-30 12:11:40 -07:00 · 140c1e51ae
commit 140c1e51ae
parent 821932342a
2 changed files with 25 additions and 1 deletions
--- a/src/wasm/wasm-external-refs.cc
+++ b/src/wasm/wasm-external-refs.cc
@ -278,7 +278,11 @@ DISABLE_ASAN void memory_copy_wrapper(Address dst, Address src, uint32_t size) {
  }
 }

-void memory_fill_wrapper(Address dst, uint32_t value, uint32_t size) {
+// Asan on Windows triggers exceptions in this function that confuse the
+// WebAssembly trap handler, so Asan is disabled. See the comment on
+// memory_copy_wrapper above for more info.
+DISABLE_ASAN void memory_fill_wrapper(Address dst, uint32_t value,
+                                      uint32_t size) {
  // Use an explicit forward copy to match the required semantics for the
  // memory.fill instruction. It is assumed that the caller of this function
  // has already performed bounds checks, so {dst + size} should not overflow.
--- a/test/mjsunit/regress/wasm/regress-957405.js
+++ b/test/mjsunit/regress/wasm/regress-957405.js
@ -0,0 +1,20 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const memory = new WebAssembly.Memory({initial: 1});
+
+let builder = new WasmModuleBuilder();
+builder.addImportedMemory("imports", "mem");
+builder.addFunction("fill", kSig_v_iii)
+       .addBody([kExprGetLocal, 0, // dst
+                 kExprGetLocal, 1, // value
+                 kExprGetLocal, 2, // size
+                 kNumericPrefix, kExprMemoryFill, 0]).exportAs("fill");
+let instance = builder.instantiate({imports: {mem: memory}});
+memory.grow(1);
+assertTraps(
+    kTrapMemOutOfBounds,
+    () => instance.exports.fill(kPageSize + 1, 123, kPageSize));