Reland "[csa] Ensure the requested allocation size fits in a Smi"

This is a reland of 515cc07d28 Original change's description: > [csa] Ensure the requested allocation size fits in a Smi > > In CSA::AllocateRaw, ensure that the given allocation size fits into a > Smi. > > Bug: chromium:848672 > Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng > Change-Id: I4e74791296163188b1ca77cae8226a9833fba8ef > Reviewed-on: https://chromium-review.googlesource.com/1084930 > Reviewed-by: Yang Guo <yangguo@chromium.org> > Reviewed-by: Igor Sheludko <ishell@chromium.org> > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Cr-Commit-Position: refs/heads/master@{#53495} TBR=yangguo@chromium.org,ishell@chromium.org Bug: chromium:848672 Change-Id: I135868390784a0ee95ff42224dd00f66f3bf2d80 Cq-Include-Trybots: luci.chromium.try:linux_chromium_rel_ng Reviewed-on: https://chromium-review.googlesource.com/1086828 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#53512}
2018-06-05 10:00:23 +02:00 · 2018-06-05 10:00:23 +02:00 · 8e8638c319
commit 8e8638c319
parent aff8034547
4 changed files with 98 additions and 27 deletions
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@ -534,6 +534,18 @@ TNode<Smi> CodeStubAssembler::SmiFromInt32(SloppyTNode<Int32T> value) {
      WordShl(value_intptr, SmiShiftBitsConstant()));
 }

+TNode<BoolT> CodeStubAssembler::IsValidPositiveSmi(TNode<IntPtrT> value) {
+  intptr_t constant_value;
+  if (ToIntPtrConstant(value, constant_value)) {
+    return (static_cast<uintptr_t>(constant_value) <=
+            static_cast<uintptr_t>(Smi::kMaxValue))
+               ? Int32TrueConstant()
+               : Int32FalseConstant();
+  }
+
+  return UintPtrLessThanOrEqual(value, IntPtrConstant(Smi::kMaxValue));
+}
+
 TNode<Smi> CodeStubAssembler::SmiTag(SloppyTNode<IntPtrT> value) {
  int32_t constant_value;
  if (ToInt32Constant(value, constant_value) && Smi::IsValid(constant_value)) {
@ -1024,6 +1036,19 @@ void CodeStubAssembler::GotoIfForceSlowPath(Label* if_true) {

 Node* CodeStubAssembler::AllocateRaw(Node* size_in_bytes, AllocationFlags flags,
                                     Node* top_address, Node* limit_address) {
+  // TODO(jgruber, chromium:848672): TNodeify AllocateRaw.
+  // TODO(jgruber, chromium:848672): Call FatalProcessOutOfMemory if this fails.
+  {
+    intptr_t constant_value;
+    if (ToIntPtrConstant(size_in_bytes, constant_value)) {
+      CHECK(Internals::IsValidSmi(constant_value));
+      CHECK_GT(constant_value, 0);
+    } else {
+      CSA_CHECK(this,
+                IsValidPositiveSmi(UncheckedCast<IntPtrT>(size_in_bytes)));
+    }
+  }
+
  Node* top = Load(MachineType::Pointer(), top_address);
  Node* limit = Load(MachineType::Pointer(), limit_address);

--- a/src/code-stub-assembler.h
+++ b/src/code-stub-assembler.h
@ -278,6 +278,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
                                        TNode<Object> index,
                                        TNode<IntPtrT> length);

+  // Returns true iff the given value fits into smi range and is >= 0.
+  TNode<BoolT> IsValidPositiveSmi(TNode<IntPtrT> value);
+
  // Tag an IntPtr as a Smi value.
  TNode<Smi> SmiTag(SloppyTNode<IntPtrT> value);
  // Untag a Smi value as an IntPtr.
--- a/test/cctest/test-code-stub-assembler.cc
+++ b/test/cctest/test-code-stub-assembler.cc
@ -209,6 +209,49 @@ TEST(ToUint32) {
  ft.CheckThrows(factory->match_symbol());
 }

+namespace {
+void IsValidPositiveSmiCase(Isolate* isolate, intptr_t value, bool expected) {
+  const int kNumParams = 0;
+  CodeAssemblerTester asm_tester(isolate, kNumParams);
+
+  CodeStubAssembler m(asm_tester.state());
+  m.Return(
+      m.SelectBooleanConstant(m.IsValidPositiveSmi(m.IntPtrConstant(value))));
+
+  FunctionTester ft(asm_tester.GenerateCode(), kNumParams);
+  MaybeHandle<Object> maybe_handle = ft.Call();
+
+  if (expected) {
+    CHECK(maybe_handle.ToHandleChecked()->IsTrue(isolate));
+  } else {
+    CHECK(maybe_handle.ToHandleChecked()->IsFalse(isolate));
+  }
+}
+}  // namespace
+
+TEST(IsValidPositiveSmi) {
+  Isolate* isolate(CcTest::InitIsolateOnce());
+
+  IsValidPositiveSmiCase(isolate, -1, false);
+  IsValidPositiveSmiCase(isolate, 0, true);
+  IsValidPositiveSmiCase(isolate, 1, true);
+
+#ifdef V8_TARGET_ARCH_32_BIT
+  IsValidPositiveSmiCase(isolate, 0x3FFFFFFFU, true);
+  IsValidPositiveSmiCase(isolate, 0xC0000000U, false);
+  IsValidPositiveSmiCase(isolate, 0x40000000U, false);
+  IsValidPositiveSmiCase(isolate, 0xBFFFFFFFU, false);
+#else
+  typedef std::numeric_limits<int32_t> int32_limits;
+  IsValidPositiveSmiCase(isolate, int32_limits::max(), true);
+  IsValidPositiveSmiCase(isolate, int32_limits::min(), false);
+  IsValidPositiveSmiCase(isolate,
+                         static_cast<intptr_t>(int32_limits::max()) + 1, false);
+  IsValidPositiveSmiCase(isolate,
+                         static_cast<intptr_t>(int32_limits::min()) - 1, false);
+#endif
+}
+
 TEST(FixedArrayAccessSmiIndex) {
  Isolate* isolate(CcTest::InitIsolateOnce());
  CodeAssemblerTester asm_tester(isolate);
--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@ -266,33 +266,33 @@ KNOWN_MAPS = {
  ("RO_SPACE", 0x05019): (172, "Tuple2Map"),
  ("RO_SPACE", 0x05211): (170, "ScriptMap"),
  ("RO_SPACE", 0x053d9): (162, "InterceptorInfoMap"),
-  ("RO_SPACE", 0x07b79): (154, "AccessorInfoMap"),
-  ("RO_SPACE", 0x07d89): (153, "AccessCheckInfoMap"),
-  ("RO_SPACE", 0x07df1): (155, "AccessorPairMap"),
-  ("RO_SPACE", 0x07e59): (156, "AliasedArgumentsEntryMap"),
-  ("RO_SPACE", 0x07ec1): (157, "AllocationMementoMap"),
-  ("RO_SPACE", 0x07f29): (158, "AllocationSiteMap"),
-  ("RO_SPACE", 0x07f91): (159, "AsyncGeneratorRequestMap"),
-  ("RO_SPACE", 0x07ff9): (160, "DebugInfoMap"),
-  ("RO_SPACE", 0x08061): (161, "FunctionTemplateInfoMap"),
-  ("RO_SPACE", 0x080c9): (163, "InterpreterDataMap"),
-  ("RO_SPACE", 0x08131): (164, "ModuleInfoEntryMap"),
-  ("RO_SPACE", 0x08199): (165, "ModuleMap"),
-  ("RO_SPACE", 0x08201): (166, "ObjectTemplateInfoMap"),
-  ("RO_SPACE", 0x08269): (167, "PromiseCapabilityMap"),
-  ("RO_SPACE", 0x082d1): (168, "PromiseReactionMap"),
-  ("RO_SPACE", 0x08339): (169, "PrototypeInfoMap"),
-  ("RO_SPACE", 0x083a1): (171, "StackFrameInfoMap"),
-  ("RO_SPACE", 0x08409): (173, "Tuple3Map"),
-  ("RO_SPACE", 0x08471): (174, "WasmCompiledModuleMap"),
-  ("RO_SPACE", 0x084d9): (175, "WasmDebugInfoMap"),
-  ("RO_SPACE", 0x08541): (176, "WasmExportedFunctionDataMap"),
-  ("RO_SPACE", 0x085a9): (177, "WasmSharedModuleDataMap"),
-  ("RO_SPACE", 0x08611): (178, "CallableTaskMap"),
-  ("RO_SPACE", 0x08679): (179, "CallbackTaskMap"),
-  ("RO_SPACE", 0x086e1): (180, "PromiseFulfillReactionJobTaskMap"),
-  ("RO_SPACE", 0x08749): (181, "PromiseRejectReactionJobTaskMap"),
-  ("RO_SPACE", 0x087b1): (182, "PromiseResolveThenableJobTaskMap"),
+  ("RO_SPACE", 0x07c09): (154, "AccessorInfoMap"),
+  ("RO_SPACE", 0x07e19): (153, "AccessCheckInfoMap"),
+  ("RO_SPACE", 0x07e81): (155, "AccessorPairMap"),
+  ("RO_SPACE", 0x07ee9): (156, "AliasedArgumentsEntryMap"),
+  ("RO_SPACE", 0x07f51): (157, "AllocationMementoMap"),
+  ("RO_SPACE", 0x07fb9): (158, "AllocationSiteMap"),
+  ("RO_SPACE", 0x08021): (159, "AsyncGeneratorRequestMap"),
+  ("RO_SPACE", 0x08089): (160, "DebugInfoMap"),
+  ("RO_SPACE", 0x080f1): (161, "FunctionTemplateInfoMap"),
+  ("RO_SPACE", 0x08159): (163, "InterpreterDataMap"),
+  ("RO_SPACE", 0x081c1): (164, "ModuleInfoEntryMap"),
+  ("RO_SPACE", 0x08229): (165, "ModuleMap"),
+  ("RO_SPACE", 0x08291): (166, "ObjectTemplateInfoMap"),
+  ("RO_SPACE", 0x082f9): (167, "PromiseCapabilityMap"),
+  ("RO_SPACE", 0x08361): (168, "PromiseReactionMap"),
+  ("RO_SPACE", 0x083c9): (169, "PrototypeInfoMap"),
+  ("RO_SPACE", 0x08431): (171, "StackFrameInfoMap"),
+  ("RO_SPACE", 0x08499): (173, "Tuple3Map"),
+  ("RO_SPACE", 0x08501): (174, "WasmCompiledModuleMap"),
+  ("RO_SPACE", 0x08569): (175, "WasmDebugInfoMap"),
+  ("RO_SPACE", 0x085d1): (176, "WasmExportedFunctionDataMap"),
+  ("RO_SPACE", 0x08639): (177, "WasmSharedModuleDataMap"),
+  ("RO_SPACE", 0x086a1): (178, "CallableTaskMap"),
+  ("RO_SPACE", 0x08709): (179, "CallbackTaskMap"),
+  ("RO_SPACE", 0x08771): (180, "PromiseFulfillReactionJobTaskMap"),
+  ("RO_SPACE", 0x087d9): (181, "PromiseRejectReactionJobTaskMap"),
+  ("RO_SPACE", 0x08841): (182, "PromiseResolveThenableJobTaskMap"),
  ("MAP_SPACE", 0x02201): (1057, "ExternalMap"),
  ("MAP_SPACE", 0x02259): (1072, "JSMessageObjectMap"),
 }