[wasm] Avoid js-typed-lowering optimization for wasm Memory objects

If an ArrayBuffer is setup through the WebAssembly.Memory constructor, identify these with a flag and avoid optimizations in js-typed-lowering.cc. This is needed becasue buffers associated with memory objects can be grown/detached leading to crashes. BUG=chromium:717194 Review-Url: https://codereview.chromium.org/2862763002 Cr-Commit-Position: refs/heads/master@{#45105}
2017-05-04 10:21:56 -07:00 · 2017-05-04 10:21:56 -07:00 · 82503e9ba3
commit 82503e9ba3
parent 0cd0fa3b98
5 changed files with 50 additions and 2 deletions
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@ -1205,7 +1205,8 @@ Reduction JSTypedLowering::ReduceJSLoadProperty(Node* node) {
  if (mbase.HasValue() && mbase.Value()->IsJSTypedArray()) {
    Handle<JSTypedArray> const array =
        Handle<JSTypedArray>::cast(mbase.Value());
-    if (!array->GetBuffer()->was_neutered()) {
+    if (!array->GetBuffer()->was_neutered() &&
+        !array->GetBuffer()->is_wasm_buffer()) {
      array->GetBuffer()->set_is_neuterable(false);
      BufferAccess const access(array->type());
      size_t const k =
@ -1257,7 +1258,8 @@ Reduction JSTypedLowering::ReduceJSStoreProperty(Node* node) {
  if (mbase.HasValue() && mbase.Value()->IsJSTypedArray()) {
    Handle<JSTypedArray> const array =
        Handle<JSTypedArray>::cast(mbase.Value());
-    if (!array->GetBuffer()->was_neutered()) {
+    if (!array->GetBuffer()->was_neutered() &&
+        !array->GetBuffer()->is_wasm_buffer()) {
      array->GetBuffer()->set_is_neuterable(false);
      BufferAccess const access(array->type());
      size_t const k =
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@ -6975,6 +6975,14 @@ void JSArrayBuffer::set_has_guard_region(bool value) {
  set_bit_field(HasGuardRegion::update(bit_field(), value));
 }

+bool JSArrayBuffer::is_wasm_buffer() {
+  return IsWasmBuffer::decode(bit_field());
+}
+
+void JSArrayBuffer::set_is_wasm_buffer(bool value) {
+  set_bit_field(IsWasmBuffer::update(bit_field(), value));
+}
+
 Object* JSArrayBufferView::byte_offset() const {
  if (WasNeutered()) return Smi::kZero;
  return Object::cast(READ_FIELD(this, kByteOffsetOffset));
--- a/src/objects.h
+++ b/src/objects.h
@ -9325,6 +9325,11 @@ class JSArrayBuffer: public JSObject {
  inline bool has_guard_region();
  inline void set_has_guard_region(bool value);

+  // TODO(gdeepti): This flag is introduced to disable asm.js optimizations in
+  // js-typer-lowering.cc, remove when the asm.js case is fixed.
+  inline bool is_wasm_buffer();
+  inline void set_is_wasm_buffer(bool value);
+
  DECLARE_CAST(JSArrayBuffer)

  void Neuter();
@ -9367,6 +9372,7 @@ class JSArrayBuffer: public JSObject {
  class WasNeutered : public BitField<bool, 3, 1> {};
  class IsShared : public BitField<bool, 4, 1> {};
  class HasGuardRegion : public BitField<bool, 5, 1> {};
+  class IsWasmBuffer : public BitField<bool, 6, 1> {};

 private:
  DISALLOW_IMPLICIT_CONSTRUCTORS(JSArrayBuffer);
--- a/src/wasm/wasm-module.cc
+++ b/src/wasm/wasm-module.cc
@ -817,6 +817,7 @@ Handle<JSArrayBuffer> wasm::SetupArrayBuffer(Isolate* isolate,
  JSArrayBuffer::Setup(buffer, isolate, is_external, backing_store,
                       static_cast<int>(size));
  buffer->set_is_neuterable(false);
+  buffer->set_is_wasm_buffer(true);
  buffer->set_has_guard_region(enable_guard_regions);

  if (is_external) {
@ -1224,6 +1225,7 @@ class InstantiationHelper {
    if (!memory_.is_null()) {
      // Set externally passed ArrayBuffer non neuterable.
      memory_->set_is_neuterable(false);
+      memory_->set_is_wasm_buffer(true);

      DCHECK_IMPLIES(EnableGuardRegions(),
                     module_->is_asm_js() || memory_->has_guard_region());
--- a/test/mjsunit/regress/wasm/regression-717194.js
+++ b/test/mjsunit/regress/wasm/regression-717194.js
@ -0,0 +1,30 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+PAGE_SIZE = 0x10000;
+PAGES = 10;
+
+memory = new WebAssembly.Memory({initial: PAGES});
+buffer = memory.buffer;
+
+var func = (function (stdlib, env, heap) {
+    "use asm";
+
+    var array = new stdlib.Int32Array(heap);
+
+    return function () {
+        array[0] = 0x41424344;
+        array[1] = 0x45464748;
+    }
+}({Int32Array: Int32Array}, {}, buffer));
+
+for (var i = 0; i < 1000; ++i)
+    func();
+
+memory.grow(1);
+
+func();
+
+for(var i = 0; i < 2; ++i)
+    new ArrayBuffer(PAGE_SIZE * PAGES);