[wasm] Increase WebAssembly.Memory maximum size to 2GB

BUG=v8:6478, chromium:729768 R=bradnelson@chromium.org, eholk@chromium.org Review-Url: https://codereview.chromium.org/2903153002 Cr-Commit-Position: refs/heads/master@{#45931}
2017-06-13 17:55:24 -07:00 · 2017-06-13 17:55:24 -07:00 · 7e6ed62071
commit 7e6ed62071
parent 284a4804f2
6 changed files with 96 additions and 8 deletions
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@ -2899,7 +2899,8 @@ Node* WasmGraphBuilder::MemBuffer(uint32_t offset) {
    return mem_buffer_;
  } else {
    return jsgraph()->RelocatableIntPtrConstant(
-        mem_start + offset, RelocInfo::WASM_MEMORY_REFERENCE);
+        static_cast<uintptr_t>(mem_start + offset),
+        RelocInfo::WASM_MEMORY_REFERENCE);
  }
 }

--- a/src/wasm/wasm-limits.h
+++ b/src/wasm/wasm-limits.h
@ -22,7 +22,9 @@ constexpr size_t kV8MaxWasmExports = 100000;
 constexpr size_t kV8MaxWasmGlobals = 1000000;
 constexpr size_t kV8MaxWasmDataSegments = 100000;
 // Don't use this limit directly, but use the value of FLAG_wasm_max_mem_pages.
-constexpr size_t kV8MaxWasmMemoryPages = 16384;  // = 1 GiB
+// Current limit mimics the maximum allowed allocation on an ArrayBuffer
+// (2GiB - 1 page).
+constexpr size_t kV8MaxWasmMemoryPages = 32767;  // ~ 2 GiB
 constexpr size_t kV8MaxWasmStringSize = 100000;
 constexpr size_t kV8MaxWasmModuleSize = 1024 * 1024 * 1024;  // = 1 GiB
 constexpr size_t kV8MaxWasmFunctionSize = 128 * 1024;
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@ -339,6 +339,15 @@
  'getters-on-elements': [PASS, ['gc_stress == True', FAIL]],
 }],  # 'arch == arm64 and mode == debug and simulator_run == True'

+['arch == arm and simulator_run == True or arch == ppc and simulator_run == True', {
+  # Because of how allocations in the simulator work, the allocator
+  # assumes address space to be in the signed int32 range, because of
+  # this when using a large offset the computation exceeds a signed
+  # 32-bit type, the addresses wrap around and hit DCHECKS which
+  # work as expected on hardware.
+  'wasm/large-offset': [SKIP],
+}],  # 'arch == arm and simulator_run == True or arch == ppc and simulator_run == True'
+
 ##############################################################################
 ['asan == True', {
  # Skip tests not suitable for ASAN.
--- a/test/mjsunit/wasm/grow-memory.js
+++ b/test/mjsunit/wasm/grow-memory.js
@ -8,7 +8,7 @@ load("test/mjsunit/wasm/wasm-constants.js");
 load("test/mjsunit/wasm/wasm-module-builder.js");

 var kPageSize = 0x10000;
-var kV8MaxPages = 16384;
+var kV8MaxPages = 32767;

 function genGrowMemoryBuilder() {
  var builder = new WasmModuleBuilder();
@ -298,9 +298,8 @@ function testGrowMemoryTrapMaxPagesZeroInitialMemory() {
  var builder = genGrowMemoryBuilder();
  builder.addMemory(0, kV8MaxPages, false);
  var module = builder.instantiate();
-  var maxPages = 16385;
  function growMem(pages) { return module.exports.grow_memory(pages); }
-  assertEquals(-1, growMem(maxPages));
+  assertEquals(-1, growMem(kV8MaxPages + 1));
 }

 testGrowMemoryTrapMaxPagesZeroInitialMemory();
@ -309,9 +308,8 @@ function testGrowMemoryTrapMaxPages() {
  var builder = genGrowMemoryBuilder();
  builder.addMemory(1, 1, false);
  var module = builder.instantiate();
-  var maxPages = 16384;
  function growMem(pages) { return module.exports.grow_memory(pages); }
-  assertEquals(-1, growMem(maxPages));
+  assertEquals(-1, growMem(kV8MaxPages));
 }

 testGrowMemoryTrapMaxPages();
@ -493,3 +491,54 @@ function testGrowMemoryDeclaredSpecMaxTraps() {
 }

 testGrowMemoryDeclaredSpecMaxTraps();
+
+function testGrowMemory2Gb() {
+  print("testGrowMemory2Gb");
+  var builder = genGrowMemoryBuilder();
+  builder.addMemory(1, kV8MaxPages, false);
+  var module = builder.instantiate();
+  var offset, val;
+  function peek() { return module.exports.load(offset); }
+  function poke(value) { return module.exports.store(offset, value); }
+  function growMem(pages) { return module.exports.grow_memory(pages); }
+
+  for(offset = 0; offset <= (kPageSize - 4); offset+=4) {
+    poke(100000 - offset);
+    assertEquals(100000 - offset, peek());
+  }
+
+  let result = growMem(kV8MaxPages - 1);
+  if (result == 1 ){
+    for(offset = 0; offset <= (kPageSize - 4); offset+=4) {
+      assertEquals(100000 - offset, peek());
+    }
+
+    // Bounds check for large mem size
+    for(offset = (kV8MaxPages - 1) * kPageSize;
+        offset <= (kV8MaxPages * kPageSize - 4); offset+=4) {
+      poke(0xaced);
+      assertEquals(0xaced, peek());
+    }
+
+    for (offset = kV8MaxPages * kPageSize - 3;
+        offset <= kV8MaxPages * kPageSize + 4; offset++) {
+      assertTraps(kTrapMemOutOfBounds, poke);
+    }
+
+    // Check traps around 3GB/4GB boundaries
+    let offset_3gb = 49152 * kPageSize;
+    let offset_4gb = 2 * kV8MaxPages * kPageSize;
+    for (offset = offset_3gb - 5; offset < offset_3gb + 4; offset++) {
+      assertTraps(kTrapMemOutOfBounds, poke);
+    }
+    for (offset = offset_4gb - 5; offset < offset_4gb; offset++) {
+      assertTraps(kTrapMemOutOfBounds, poke);
+    }
+  } else {
+    // Allocating big chunks of memory can fail on gc_stress, especially on 32
+    // bit platforms. When grow_memory fails, expected result is -1.
+    assertEquals(-1, result);
+  }
+}
+
+testGrowMemory2Gb();
--- a/test/mjsunit/wasm/import-memory.js
+++ b/test/mjsunit/wasm/import-memory.js
@ -149,6 +149,7 @@ load("test/mjsunit/wasm/wasm-module-builder.js");

 (function TestGrowMemoryZeroInitialMemory() {
  print("ZeroInitialMemory");
+  let kV8MaxPages = 32767;
  let memory = new WebAssembly.Memory({initial: 0});
  assertEquals(0, memory.buffer.byteLength);
  let i32 = new Int32Array(memory.buffer);
@ -176,7 +177,7 @@ load("test/mjsunit/wasm/wasm-module-builder.js");
  for (offset = 5 * kPageSize; offset < 5 * kPageSize + 4; offset++) {
    assertThrows(load);
  }
-  assertThrows(() => memory.grow(16381));
+  assertThrows(() => memory.grow(kV8MaxPages - 3));
 })();

 (function ImportedMemoryBufferLength() {
--- a/test/mjsunit/wasm/large-offset.js
+++ b/test/mjsunit/wasm/large-offset.js
@ -0,0 +1,26 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+function testGrowMemoryOutOfBoundsOffset() {
+  print("testGrowMemoryOutOfBoundsOffset2");
+  var builder = new WasmModuleBuilder();
+  builder.addMemory(16, 128, false);
+  builder.addFunction("main", kSig_v_v)
+      .addBody([
+          kExprI32Const, 20,
+          kExprI32Const, 29,
+          kExprGrowMemory, kMemoryZero,
+          // Assembly equivalent Move <reg>,0xf5fffff
+          // with wasm memory reference relocation information
+          kExprI32StoreMem, 0, 0xFF, 0xFF, 0xFF, 0x7A
+          ])
+      .exportAs("main");
+  var module = builder.instantiate();
+  assertTraps(kTrapMemOutOfBounds, module.exports.main);
+}
+
+testGrowMemoryOutOfBoundsOffset();