AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[wasm] Add missing checks for growing the stack

Browse Source 
Whenever more then one value is pushed to the stack, we need to execute
a check for growing the stack first (since https://crrev.com/c/2431525).
This CL adds two missing checks.

R=thibaudm@chromium.org

Bug: chromium:1137582
Change-Id: I9755502dfdb77c03d1dde3e83fb7d33b9b99e499
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2467796
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70480}
This commit is contained in:
Clemens Backes 2020-10-13 12:53:15 +02:00 committed by Commit Bot
parent cf84dd04a3
commit 9d7be16cae
2 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/wasm/function-body-decoder-impl.h
View File

@ -2403,12 +2403,13 @@ class WasmFullDecoder : public WasmDecoder<validate> {
Control* c = control_at(imm.depth.depth);
Value exception = Pop(0, kWasmExnRef);
const WasmExceptionSig* sig = imm.index.exception->sig;
size_t value_count = sig->parameter_count();
int value_count = static_cast<int>(sig->parameter_count());
// TODO(wasm): This operand stack mutation is an ugly hack to make
// both type checking here as well as environment merging in the
// graph builder interface work out of the box. We should introduce
// special handling for both and do minimal/no stack mutation here.
for (size_t i = 0; i < value_count; ++i) Push(sig->GetParam(i));
EnsureStackSpace(value_count);
for (int i = 0; i < value_count; ++i) Push(sig->GetParam(i));
Vector<Value> values(stack_ + c->stack_depth, value_count);
TypeCheckBranchResult check_result = TypeCheckBranch(c, true);
if (this->failed()) return 0;
@ -2419,7 +2420,7 @@ class WasmFullDecoder : public WasmDecoder<validate> {
} else if (check_result == kInvalidStack) {
return 0;
}
for (int i = static_cast<int>(value_count) - 1; i >= 0; i--) Pop(i);
for (int i = value_count - 1; i >= 0; i--) Pop(i);
Value* pexception = Push(kWasmExnRef);
*pexception = exception;
return 1 + imm.length;
@ -4299,6 +4300,7 @@ class WasmFullDecoder : public WasmDecoder<validate> {
int index_offset = conditional_branch ? 1 : 0;
for (int i = arity - 1; i >= 0; --i) Pop(index_offset + i, merge[i].type);
// Push values of the correct type back on the stack.
EnsureStackSpace(arity);
for (int i = 0; i < arity; ++i) Push(merge[i].type);
return this->ok();
}

10
test/mjsunit/regress/wasm/regress-1137582.js Normal file
View File

@ -0,0 +1,10 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
const results = new Array(9).fill(kWasmI32);
builder.addFunction('foo', makeSig([], results)).addBody([kExprUnreachable]);
builder.instantiate();