[Liftoff] Zero-extend i32 stack parameters

i32 stack parameters can be loaded by Turbofan as 64-bit value, hence they would not be zero extended. If this loaded value is then passed to Liftoff (which assumes zero-extended i32 values), we could use it for memory accesses, which would be out of bounds. R=mstarzinger@chromium.org Bug: chromium:864509, v8:6600 Change-Id: I0f45a269b1fb1c2befc2e6bc660c559a88323767 Reviewed-on: https://chromium-review.googlesource.com/1140168 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#54500}
2018-07-17 18:14:57 +02:00 · 2018-07-17 18:14:57 +02:00 · 16af1baac4
commit 16af1baac4
parent e3a5b1e402
2 changed files with 74 additions and 1 deletions
--- a/src/wasm/baseline/x64/liftoff-assembler-x64.h
+++ b/src/wasm/baseline/x64/liftoff-assembler-x64.h
@ -1452,7 +1452,18 @@ void LiftoffStackSlots::Construct() {
    const LiftoffAssembler::VarState& src = slot.src_;
    switch (src.loc()) {
      case LiftoffAssembler::VarState::kStack:
-        asm_->pushq(liftoff::GetStackSlot(slot.src_index_));
+        if (src.type() == kWasmI32) {
+          // Load i32 values to a register first to ensure they are zero
+          // extended.
+          asm_->movl(kScratchRegister, liftoff::GetStackSlot(slot.src_index_));
+          asm_->pushq(kScratchRegister);
+        } else {
+          // For all other types, just push the whole (8-byte) stack slot.
+          // This is also ok for f32 values (even though we copy 4 uninitialized
+          // bytes), because f32 and f64 values are clearly distinguished in
+          // Turbofan, so the uninitialized bytes are never accessed.
+          asm_->pushq(liftoff::GetStackSlot(slot.src_index_));
+        }
        break;
      case LiftoffAssembler::VarState::kRegister:
        liftoff::push(asm_, src.reg(), src.type());
--- a/test/mjsunit/regress/wasm/regress-864509.js
+++ b/test/mjsunit/regress/wasm/regress-864509.js
@ -0,0 +1,62 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --liftoff --no-wasm-tier-up --no-future --wasm-tier-mask-for-testing=2
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(1, 1);
+// First function is Liftoff. The first parameter is used as memory offset.
+builder.addFunction(undefined, kSig_v_i).addBody([
+  kExprGetLocal, 0,        // get_local 0
+  kExprI32Const, 0,        // i32.const 0
+  kExprI32StoreMem, 0, 0,  // i32.store offset=0
+]);
+// Second function is Turbofan. It loads the sixth parameter from the stack
+// into a register for the first argument. Even though it's a 32-bit value, it
+// is loaded as 64-bit value on x64.
+builder.addFunction(undefined, makeSig(new Array(6).fill(kWasmI32), []))
+    .addBody([
+      kExprGetLocal, 5,     // get_local 5
+      kExprCallFunction, 0  // call 0
+    ]);
+// The third function is Liftoff again. A value is spilled on the stack as i32,
+// then used as a call argument, passed via the stack. The full 64-bit are
+// copied on the stack, even though just 32-bit were written before. Hence, the
+// stack slot is not zero-extended.
+const gen_i32_code = [
+  kExprTeeLocal, 0,  // tee_local 0
+  kExprGetLocal, 0,  // get_local 0
+  kExprI32Const, 1,  // i32.const 1
+  kExprI32Add        // i32.add     --> 2nd param
+];
+builder.addFunction(undefined, kSig_v_v).addLocals({i32_count: 1}).addBody([
+  // Generate six values on the stack, then six more to force the other six on
+  // the stack.
+  ...wasmI32Const(0),    // i32.const 0
+  ...wasmI32Const(1),    // i32.const 1
+  kExprI32Add,           // i32.add --> 1st param
+  ...gen_i32_code,       // --> 2nd param
+  ...gen_i32_code,       // --> 3rd param
+  ...gen_i32_code,       // --> 4th param
+  ...gen_i32_code,       // --> 5th param
+  ...gen_i32_code,       // --> 6th param
+  ...gen_i32_code,       // --> garbage
+  ...gen_i32_code,       // --> garbage
+  ...gen_i32_code,       // --> garbage
+  ...gen_i32_code,       // --> garbage
+  ...gen_i32_code,       // --> garbage
+  ...gen_i32_code,       // --> garbage
+  kExprDrop,             // drop garbage
+  kExprDrop,             // drop garbage
+  kExprDrop,             // drop garbage
+  kExprDrop,             // drop garbage
+  kExprDrop,             // drop garbage
+  kExprDrop,             // drop garbage
+  kExprCallFunction,  1  // call 1
+]).exportAs('three');
+const instance = builder.instantiate();
+instance.exports.three();