From 2a4b5933b8c0dc73a086bc1ffa5d3de3581f6808 Mon Sep 17 00:00:00 2001 From: gdeepti Date: Mon, 12 Sep 2016 00:32:42 -0700 Subject: [PATCH] [wasm] GrowMemory should use array_buffer_allocator instead of realloc. - Using realloc is still unsafe as the allocator, using array_buffer_allocator - Fixing tests to avoid overlapping stores, adding more tests BUG=v8:5344 R=ahaas@chromium.org, mlippautz@chromium.org Review-Url: https://codereview.chromium.org/2319983002 Cr-Commit-Position: refs/heads/master@{#39329} --- src/runtime/runtime-wasm.cc | 17 ++- test/mjsunit/wasm/grow-memory.js | 191 ++++++++++++++++++++++++++++++- 2 files changed, 196 insertions(+), 12 deletions(-) diff --git a/src/runtime/runtime-wasm.cc b/src/runtime/runtime-wasm.cc index 6fc72767ea..5727e2d021 100644 --- a/src/runtime/runtime-wasm.cc +++ b/src/runtime/runtime-wasm.cc @@ -86,14 +86,20 @@ RUNTIME_FUNCTION(Runtime_WasmGrowMemory) { wasm::WasmModule::kMaxMemPages * wasm::WasmModule::kPageSize) { return *isolate->factory()->NewNumberFromInt(-1); } - new_mem_start = static_cast
(realloc(old_mem_start, new_size)); + new_mem_start = + static_cast
(isolate->array_buffer_allocator()->Allocate( + static_cast(new_size))); if (new_mem_start == NULL) { return *isolate->factory()->NewNumberFromInt(-1); } - old_buffer->set_is_external(true); - isolate->heap()->UnregisterArrayBuffer(*old_buffer); - // Zero initializing uninitialized memory from realloc - memset(new_mem_start + old_size, 0, new_size - old_size); +#if DEBUG + // Double check the API allocator actually zero-initialized the memory. + for (size_t i = old_size; i < new_size; i++) { + DCHECK_EQ(0, new_mem_start[i]); + } +#endif + // Copy contents of the old buffer to the new buffer + memcpy(new_mem_start, old_mem_start, old_size); } Handle buffer = isolate->factory()->NewJSArrayBuffer(); @@ -102,7 +108,6 @@ RUNTIME_FUNCTION(Runtime_WasmGrowMemory) { // Set new buffer to be wasm memory module_object->SetInternalField(kWasmMemArrayBuffer, *buffer); - CHECK(wasm::UpdateWasmModuleMemory(module_object, old_mem_start, new_mem_start, old_size, new_size)); diff --git a/test/mjsunit/wasm/grow-memory.js b/test/mjsunit/wasm/grow-memory.js index 93db651c1b..858a19e3de 100644 --- a/test/mjsunit/wasm/grow-memory.js +++ b/test/mjsunit/wasm/grow-memory.js @@ -20,10 +20,22 @@ function genGrowMemoryBuilder() { builder.addFunction("store", kSig_i_ii) .addBody([kExprGetLocal, 0, kExprGetLocal, 1, kExprI32StoreMem, 0, 0]) .exportFunc(); + builder.addFunction("load16", kSig_i_i) + .addBody([kExprGetLocal, 0, kExprI32LoadMem16U, 0, 0]) + .exportFunc(); + builder.addFunction("store16", kSig_i_ii) + .addBody([kExprGetLocal, 0, kExprGetLocal, 1, kExprI32StoreMem16, 0, 0]) + .exportFunc(); + builder.addFunction("load8", kSig_i_i) + .addBody([kExprGetLocal, 0, kExprI32LoadMem8U, 0, 0]) + .exportFunc(); + builder.addFunction("store8", kSig_i_ii) + .addBody([kExprGetLocal, 0, kExprGetLocal, 1, kExprI32StoreMem8, 0, 0]) + .exportFunc(); return builder; } -function testGrowMemoryReadWrite() { +function testGrowMemoryReadWrite32() { var builder = genGrowMemoryBuilder(); builder.addMemory(1, 1, false); var module = builder.instantiate(); @@ -32,7 +44,7 @@ function testGrowMemoryReadWrite() { function poke(value) { return module.exports.store(offset, value); } function growMem(pages) { return module.exports.grow_memory(pages); } - for(offset = 0; offset <= (kPageSize - 4); offset++) { + for(offset = 0; offset <= (kPageSize - 4); offset+=4) { poke(20); assertEquals(20, peek()); } @@ -43,7 +55,7 @@ function testGrowMemoryReadWrite() { assertEquals(1, growMem(3)); - for (offset = kPageSize; offset <= 4*kPageSize -4; offset++) { + for (offset = kPageSize; offset <= 4*kPageSize -4; offset+=4) { poke(20); assertEquals(20, peek()); } @@ -54,11 +66,11 @@ function testGrowMemoryReadWrite() { assertEquals(4, growMem(15)); - for (offset = 4*kPageSize - 3; offset <= 4*kPageSize + 4; offset++) { + for (offset = 4*kPageSize - 3; offset <= 4*kPageSize + 4; offset+=4) { poke(20); assertEquals(20, peek()); } - for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 4; offset++) { + for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 4; offset+=4) { poke(20); assertEquals(20, peek()); } @@ -68,7 +80,101 @@ function testGrowMemoryReadWrite() { } } -testGrowMemoryReadWrite(); +testGrowMemoryReadWrite32(); + +function testGrowMemoryReadWrite16() { + var builder = genGrowMemoryBuilder(); + builder.addMemory(1, 1, false); + var module = builder.instantiate(); + var offset; + function peek() { return module.exports.load16(offset); } + function poke(value) { return module.exports.store16(offset, value); } + function growMem(pages) { return module.exports.grow_memory(pages); } + + for(offset = 0; offset <= (kPageSize - 2); offset+=2) { + poke(20); + assertEquals(20, peek()); + } + for (offset = kPageSize - 1; offset < kPageSize + 4; offset++) { + assertTraps(kTrapMemOutOfBounds, poke); + assertTraps(kTrapMemOutOfBounds, peek); + } + + assertEquals(1, growMem(3)); + + for (offset = kPageSize; offset <= 4*kPageSize -2; offset+=2) { + poke(20); + assertEquals(20, peek()); + } + for (offset = 4*kPageSize - 1; offset < 4*kPageSize + 4; offset++) { + assertTraps(kTrapMemOutOfBounds, poke); + assertTraps(kTrapMemOutOfBounds, peek); + } + + assertEquals(4, growMem(15)); + + for (offset = 4*kPageSize - 2; offset <= 4*kPageSize + 4; offset+=2) { + poke(20); + assertEquals(20, peek()); + } + for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 2; offset+=2) { + poke(20); + assertEquals(20, peek()); + } + for (offset = 19*kPageSize - 1; offset < 19*kPageSize + 5; offset++) { + assertTraps(kTrapMemOutOfBounds, poke); + assertTraps(kTrapMemOutOfBounds, peek); + } +} + +testGrowMemoryReadWrite16(); + +function testGrowMemoryReadWrite8() { + var builder = genGrowMemoryBuilder(); + builder.addMemory(1, 1, false); + var module = builder.instantiate(); + var offset; + function peek() { return module.exports.load8(offset); } + function poke(value) { return module.exports.store8(offset, value); } + function growMem(pages) { return module.exports.grow_memory(pages); } + + for(offset = 0; offset <= kPageSize - 1; offset++) { + poke(20); + assertEquals(20, peek()); + } + for (offset = kPageSize; offset < kPageSize + 4; offset++) { + assertTraps(kTrapMemOutOfBounds, poke); + assertTraps(kTrapMemOutOfBounds, peek); + } + + assertEquals(1, growMem(3)); + + for (offset = kPageSize; offset <= 4*kPageSize -1; offset++) { + poke(20); + assertEquals(20, peek()); + } + for (offset = 4*kPageSize; offset < 4*kPageSize + 4; offset++) { + assertTraps(kTrapMemOutOfBounds, poke); + assertTraps(kTrapMemOutOfBounds, peek); + } + + assertEquals(4, growMem(15)); + + for (offset = 4*kPageSize; offset <= 4*kPageSize + 4; offset++) { + poke(20); + assertEquals(20, peek()); + } + for (offset = 19*kPageSize - 10; offset <= 19*kPageSize - 1; offset++) { + poke(20); + assertEquals(20, peek()); + } + for (offset = 19*kPageSize; offset < 19*kPageSize + 5; offset++) { + assertTraps(kTrapMemOutOfBounds, poke); + assertTraps(kTrapMemOutOfBounds, peek); + } +} + +testGrowMemoryReadWrite8(); function testGrowMemoryZeroInitialSize() { var builder = genGrowMemoryBuilder(); @@ -144,3 +250,76 @@ function testGrowMemoryCurrentMemory() { } testGrowMemoryCurrentMemory(); + +function testGrowMemoryPreservesDataMemOp32() { + var builder = genGrowMemoryBuilder(); + builder.addMemory(1, 1, false); + var module = builder.instantiate(); + var offset, val; + function peek() { return module.exports.load(offset); } + function poke(value) { return module.exports.store(offset, value); } + function growMem(pages) { return module.exports.grow_memory(pages); } + + for(offset = 0; offset <= (kPageSize - 4); offset+=4) { + poke(100000 - offset); + assertEquals(100000 - offset, peek()); + } + + assertEquals(1, growMem(3)); + + for(offset = 0; offset <= (kPageSize - 4); offset+=4) { + assertEquals(100000 - offset, peek()); + } +} + +testGrowMemoryPreservesDataMemOp32(); + +function testGrowMemoryPreservesDataMemOp16() { + var builder = genGrowMemoryBuilder(); + builder.addMemory(1, 1, false); + var module = builder.instantiate(); + var offset, val; + function peek() { return module.exports.load16(offset); } + function poke(value) { return module.exports.store16(offset, value); } + function growMem(pages) { return module.exports.grow_memory(pages); } + + for(offset = 0; offset <= (kPageSize - 2); offset+=2) { + poke(65535 - offset); + assertEquals(65535 - offset, peek()); + } + + assertEquals(1, growMem(3)); + + for(offset = 0; offset <= (kPageSize - 2); offset+=2) { + assertEquals(65535 - offset, peek()); + } +} + +testGrowMemoryPreservesDataMemOp16(); + +function testGrowMemoryPreservesDataMemOp8() { + var builder = genGrowMemoryBuilder(); + builder.addMemory(1, 1, false); + var module = builder.instantiate(); + var offset, val = 0; + function peek() { return module.exports.load8(offset); } + function poke(value) { return module.exports.store8(offset, value); } + function growMem(pages) { return module.exports.grow_memory(pages); } + + for(offset = 0; offset <= (kPageSize - 1); offset++, val++) { + poke(val); + assertEquals(val, peek()); + if (val == 255) val = 0; + } + + assertEquals(1, growMem(3)); + + val = 0; + + for(offset = 0; offset <= (kPageSize - 1); offset++, val++) { + assertEquals(val, peek()); + if (val == 255) val = 0; + } +} + +testGrowMemoryPreservesDataMemOp8();