[wasm] GrowMemory should use array_buffer_allocator instead of realloc.

- Using realloc is still unsafe as the allocator, using array_buffer_allocator - Fixing tests to avoid overlapping stores, adding more tests BUG=v8:5344 R=ahaas@chromium.org, mlippautz@chromium.org Review-Url: https://codereview.chromium.org/2319983002 Cr-Commit-Position: refs/heads/master@{#39329}
2016-09-12 00:32:42 -07:00 · 2016-09-12 00:32:42 -07:00 · 2a4b5933b8
commit 2a4b5933b8
parent a5ca412e5a
2 changed files with 196 additions and 12 deletions
--- a/src/runtime/runtime-wasm.cc
+++ b/src/runtime/runtime-wasm.cc
@ -86,14 +86,20 @@ RUNTIME_FUNCTION(Runtime_WasmGrowMemory) {
        wasm::WasmModule::kMaxMemPages * wasm::WasmModule::kPageSize) {
      return *isolate->factory()->NewNumberFromInt(-1);
    }
-    new_mem_start = static_cast<Address>(realloc(old_mem_start, new_size));
+    new_mem_start =
+        static_cast<Address>(isolate->array_buffer_allocator()->Allocate(
+            static_cast<uint32_t>(new_size)));
    if (new_mem_start == NULL) {
      return *isolate->factory()->NewNumberFromInt(-1);
    }
-    old_buffer->set_is_external(true);
-    isolate->heap()->UnregisterArrayBuffer(*old_buffer);
-    // Zero initializing uninitialized memory from realloc
-    memset(new_mem_start + old_size, 0, new_size - old_size);
+#if DEBUG
+    // Double check the API allocator actually zero-initialized the memory.
+    for (size_t i = old_size; i < new_size; i++) {
+      DCHECK_EQ(0, new_mem_start[i]);
+    }
+#endif
+    // Copy contents of the old buffer to the new buffer
+    memcpy(new_mem_start, old_mem_start, old_size);
  }

  Handle<JSArrayBuffer> buffer = isolate->factory()->NewJSArrayBuffer();
@ -102,7 +108,6 @@ RUNTIME_FUNCTION(Runtime_WasmGrowMemory) {

  // Set new buffer to be wasm memory
  module_object->SetInternalField(kWasmMemArrayBuffer, *buffer);
-
  CHECK(wasm::UpdateWasmModuleMemory(module_object, old_mem_start,
                                     new_mem_start, old_size, new_size));

--- a/test/mjsunit/wasm/grow-memory.js
+++ b/test/mjsunit/wasm/grow-memory.js
@ -20,10 +20,22 @@ function genGrowMemoryBuilder() {
  builder.addFunction("store", kSig_i_ii)
      .addBody([kExprGetLocal, 0, kExprGetLocal, 1, kExprI32StoreMem, 0, 0])
      .exportFunc();
+  builder.addFunction("load16", kSig_i_i)
+      .addBody([kExprGetLocal, 0, kExprI32LoadMem16U, 0, 0])
+      .exportFunc();
+  builder.addFunction("store16", kSig_i_ii)
+      .addBody([kExprGetLocal, 0, kExprGetLocal, 1, kExprI32StoreMem16, 0, 0])
+      .exportFunc();
+  builder.addFunction("load8", kSig_i_i)
+      .addBody([kExprGetLocal, 0, kExprI32LoadMem8U, 0, 0])
+      .exportFunc();
+  builder.addFunction("store8", kSig_i_ii)
+      .addBody([kExprGetLocal, 0, kExprGetLocal, 1, kExprI32StoreMem8, 0, 0])
+      .exportFunc();
  return builder;
 }

-function testGrowMemoryReadWrite() {
+function testGrowMemoryReadWrite32() {
  var builder = genGrowMemoryBuilder();
  builder.addMemory(1, 1, false);
  var module = builder.instantiate();
@ -32,7 +44,7 @@ function testGrowMemoryReadWrite() {
  function poke(value) { return module.exports.store(offset, value); }
  function growMem(pages) { return module.exports.grow_memory(pages); }

-  for(offset = 0; offset <= (kPageSize - 4); offset++) {
+  for(offset = 0; offset <= (kPageSize - 4); offset+=4) {
    poke(20);
    assertEquals(20, peek());
  }
@ -43,7 +55,7 @@ function testGrowMemoryReadWrite() {

  assertEquals(1, growMem(3));

-  for (offset = kPageSize; offset <= 4*kPageSize -4; offset++) {
+  for (offset = kPageSize; offset <= 4*kPageSize -4; offset+=4) {
    poke(20);
    assertEquals(20, peek());
  }
@ -54,11 +66,11 @@ function testGrowMemoryReadWrite() {

  assertEquals(4, growMem(15));

-  for (offset = 4*kPageSize - 3; offset <= 4*kPageSize + 4; offset++) {
+  for (offset = 4*kPageSize - 3; offset <= 4*kPageSize + 4; offset+=4) {
    poke(20);
    assertEquals(20, peek());
  }
-  for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 4; offset++) {
+  for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 4; offset+=4) {
    poke(20);
    assertEquals(20, peek());
  }
@ -68,7 +80,101 @@ function testGrowMemoryReadWrite() {
  }
 }

-testGrowMemoryReadWrite();
+testGrowMemoryReadWrite32();
+
+function testGrowMemoryReadWrite16() {
+  var builder = genGrowMemoryBuilder();
+  builder.addMemory(1, 1, false);
+  var module = builder.instantiate();
+  var offset;
+  function peek() { return module.exports.load16(offset); }
+  function poke(value) { return module.exports.store16(offset, value); }
+  function growMem(pages) { return module.exports.grow_memory(pages); }
+
+  for(offset = 0; offset <= (kPageSize - 2); offset+=2) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = kPageSize - 1; offset < kPageSize + 4; offset++) {
+    assertTraps(kTrapMemOutOfBounds, poke);
+    assertTraps(kTrapMemOutOfBounds, peek);
+  }
+
+  assertEquals(1, growMem(3));
+
+  for (offset = kPageSize; offset <= 4*kPageSize -2; offset+=2) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = 4*kPageSize - 1; offset < 4*kPageSize + 4; offset++) {
+    assertTraps(kTrapMemOutOfBounds, poke);
+    assertTraps(kTrapMemOutOfBounds, peek);
+  }
+
+  assertEquals(4, growMem(15));
+
+  for (offset = 4*kPageSize - 2; offset <= 4*kPageSize + 4; offset+=2) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 2; offset+=2) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = 19*kPageSize - 1; offset < 19*kPageSize + 5; offset++) {
+    assertTraps(kTrapMemOutOfBounds, poke);
+    assertTraps(kTrapMemOutOfBounds, peek);
+  }
+}
+
+testGrowMemoryReadWrite16();
+
+function testGrowMemoryReadWrite8() {
+  var builder = genGrowMemoryBuilder();
+  builder.addMemory(1, 1, false);
+  var module = builder.instantiate();
+  var offset;
+  function peek() { return module.exports.load8(offset); }
+  function poke(value) { return module.exports.store8(offset, value); }
+  function growMem(pages) { return module.exports.grow_memory(pages); }
+
+  for(offset = 0; offset <= kPageSize - 1; offset++) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = kPageSize; offset < kPageSize + 4; offset++) {
+    assertTraps(kTrapMemOutOfBounds, poke);
+    assertTraps(kTrapMemOutOfBounds, peek);
+  }
+
+  assertEquals(1, growMem(3));
+
+  for (offset = kPageSize; offset <= 4*kPageSize -1; offset++) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = 4*kPageSize; offset < 4*kPageSize + 4; offset++) {
+    assertTraps(kTrapMemOutOfBounds, poke);
+    assertTraps(kTrapMemOutOfBounds, peek);
+  }
+
+  assertEquals(4, growMem(15));
+
+  for (offset = 4*kPageSize; offset <= 4*kPageSize + 4; offset++) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 1; offset++) {
+    poke(20);
+    assertEquals(20, peek());
+  }
+  for (offset = 19*kPageSize; offset < 19*kPageSize + 5; offset++) {
+    assertTraps(kTrapMemOutOfBounds, poke);
+    assertTraps(kTrapMemOutOfBounds, peek);
+  }
+}
+
+testGrowMemoryReadWrite8();

 function testGrowMemoryZeroInitialSize() {
  var builder = genGrowMemoryBuilder();
@ -144,3 +250,76 @@ function testGrowMemoryCurrentMemory() {
 }

 testGrowMemoryCurrentMemory();
+
+function testGrowMemoryPreservesDataMemOp32() {
+  var builder = genGrowMemoryBuilder();
+  builder.addMemory(1, 1, false);
+  var module = builder.instantiate();
+  var offset, val;
+  function peek() { return module.exports.load(offset); }
+  function poke(value) { return module.exports.store(offset, value); }
+  function growMem(pages) { return module.exports.grow_memory(pages); }
+
+  for(offset = 0; offset <= (kPageSize - 4); offset+=4) {
+    poke(100000 - offset);
+    assertEquals(100000 - offset, peek());
+  }
+
+  assertEquals(1, growMem(3));
+
+  for(offset = 0; offset <= (kPageSize - 4); offset+=4) {
+    assertEquals(100000 - offset, peek());
+  }
+}
+
+testGrowMemoryPreservesDataMemOp32();
+
+function testGrowMemoryPreservesDataMemOp16() {
+  var builder = genGrowMemoryBuilder();
+  builder.addMemory(1, 1, false);
+  var module = builder.instantiate();
+  var offset, val;
+  function peek() { return module.exports.load16(offset); }
+  function poke(value) { return module.exports.store16(offset, value); }
+  function growMem(pages) { return module.exports.grow_memory(pages); }
+
+  for(offset = 0; offset <= (kPageSize - 2); offset+=2) {
+    poke(65535 - offset);
+    assertEquals(65535 - offset, peek());
+  }
+
+  assertEquals(1, growMem(3));
+
+  for(offset = 0; offset <= (kPageSize - 2); offset+=2) {
+    assertEquals(65535 - offset, peek());
+  }
+}
+
+testGrowMemoryPreservesDataMemOp16();
+
+function testGrowMemoryPreservesDataMemOp8() {
+  var builder = genGrowMemoryBuilder();
+  builder.addMemory(1, 1, false);
+  var module = builder.instantiate();
+  var offset, val = 0;
+  function peek() { return module.exports.load8(offset); }
+  function poke(value) { return module.exports.store8(offset, value); }
+  function growMem(pages) { return module.exports.grow_memory(pages); }
+
+  for(offset = 0; offset <= (kPageSize - 1); offset++, val++) {
+    poke(val);
+    assertEquals(val, peek());
+    if (val == 255) val = 0;
+  }
+
+  assertEquals(1, growMem(3));
+
+  val = 0;
+
+  for(offset = 0; offset <= (kPageSize - 1); offset++, val++) {
+    assertEquals(val, peek());
+    if (val == 255) val = 0;
+  }
+}
+
+testGrowMemoryPreservesDataMemOp8();