[wasm] Fix more 32/64 bit issues
For simplicity, we currently use the approach to do all computations and bounds checks on 32 bit values, and only convert to pointer size right before using the value as memory offset. Unfortunately, there are still cases left where we use 32-bit values for 64-bit operations, which can lead to subtle bugs. This CL hopefully fixes the last of these bugs. R=titzer@chromium.org Bug: v8:7257 Change-Id: I8d340f83ad17925c0d18d4e788350ef6101786ea Reviewed-on: https://chromium-review.googlesource.com/852299 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#50409}
This commit is contained in:
parent
a4de840cd3
commit
9180b2ca46
@ -3565,23 +3565,17 @@ Node* WasmGraphBuilder::BoundsCheckMem(uint8_t access_size, Node* index,
|
||||
// The end offset is larger than the smallest memory.
|
||||
// Dynamically check the end offset against the actual memory size, which
|
||||
// is not known at compile time.
|
||||
Node* cond;
|
||||
if (jsgraph()->machine()->Is32()) {
|
||||
cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThanOrEqual(),
|
||||
Node* cond =
|
||||
graph()->NewNode(jsgraph()->machine()->Uint32LessThanOrEqual(),
|
||||
jsgraph()->Int32Constant(end_offset), mem_size);
|
||||
} else {
|
||||
cond = graph()->NewNode(
|
||||
jsgraph()->machine()->Uint64LessThanOrEqual(),
|
||||
jsgraph()->Int64Constant(static_cast<int64_t>(end_offset)), mem_size);
|
||||
}
|
||||
TrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
|
||||
} else {
|
||||
// The end offset is within the bounds of the smallest memory, so only
|
||||
// one check is required. Check to see if the index is also a constant.
|
||||
UintPtrMatcher match(index);
|
||||
Uint32Matcher match(index);
|
||||
if (match.HasValue()) {
|
||||
uint64_t index_val = match.Value();
|
||||
if ((index_val + offset + access_size) <= min_size) {
|
||||
uint32_t index_val = match.Value();
|
||||
if (index_val <= min_size - end_offset) {
|
||||
// The input index is a constant and everything is statically within
|
||||
// bounds of the smallest possible memory.
|
||||
return Uint32ToUintptr(index);
|
||||
@ -3592,16 +3586,10 @@ Node* WasmGraphBuilder::BoundsCheckMem(uint8_t access_size, Node* index,
|
||||
// Compute the effective size of the memory, which is the size of the memory
|
||||
// minus the statically known offset, minus the byte size of the access minus
|
||||
// one.
|
||||
Node* effective_size;
|
||||
if (jsgraph()->machine()->Is32()) {
|
||||
effective_size =
|
||||
// This produces a positive number since {end_offset <= min_size <= mem_size}.
|
||||
Node* effective_size =
|
||||
graph()->NewNode(jsgraph()->machine()->Int32Sub(), mem_size,
|
||||
jsgraph()->Int32Constant(end_offset - 1));
|
||||
} else {
|
||||
effective_size = graph()->NewNode(
|
||||
jsgraph()->machine()->Int64Sub(), mem_size,
|
||||
jsgraph()->Int64Constant(static_cast<int64_t>(end_offset - 1)));
|
||||
}
|
||||
|
||||
// Introduce the actual bounds check.
|
||||
Node* cond = graph()->NewNode(m->Uint32LessThan(), index, effective_size);
|
||||
|
Loading…
Reference in New Issue
Block a user