Revert "[asmjs] Properly validate asm.js heap sizes"
This reverts commit 5d69010e26.
Reason for revert: New test fails on ARM GC stress bot - https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Arm%20GC%20Stress/8054
Original change's description:
> [asmjs] Properly validate asm.js heap sizes
>
> Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> limitations on the size of asm.js heaps.
>
> R=clemensh@chromium.org
> CC=mstarzinger@chromium.org
>
> Bug: chromium:873600
> Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> Reviewed-on: https://chromium-review.googlesource.com/1174411
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55163}
TBR=mstarzinger@chromium.org,titzer@chromium.org,clemensh@chromium.org
Change-Id: I95ca5306a495bfc0f78d7a29f5d6269fc9c0bdfa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:873600
Reviewed-on: https://chromium-review.googlesource.com/1178141
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55173}
This commit is contained in:
Leszek Swirski
Commit Bot
parent
49f7687575
commit
c07c93f327
@ -23,7 +23,6 @@
|
||||
|
||||
#include "src/wasm/wasm-engine.h"
|
||||
#include "src/wasm/wasm-js.h"
|
||||
#include "src/wasm/wasm-limits.h"
|
||||
#include "src/wasm/wasm-module-builder.h"
|
||||
#include "src/wasm/wasm-objects-inl.h"
|
||||
#include "src/wasm/wasm-result.h"
|
||||
@ -330,28 +329,6 @@ UnoptimizedCompilationJob* AsmJs::NewCompilationJob(
|
||||
return new AsmJsCompilationJob(parse_info, literal, allocator);
|
||||
}
|
||||
|
||||
namespace {
|
||||
inline bool IsValidAsmjsMemorySize(size_t size) {
|
||||
// Enforce asm.js spec minimum size.
|
||||
if (size < (1u << 12u)) return false;
|
||||
// Enforce engine-limited maximum allocation size.
|
||||
if (size > wasm::kV8MaxWasmMemoryBytes) return false;
|
||||
// Enforce flag-limited maximum allocation size.
|
||||
if (size > (FLAG_wasm_max_mem_pages * uint64_t{wasm::kWasmPageSize})) {
|
||||
return false;
|
||||
}
|
||||
// Enforce power-of-2 sizes for 2^12 - 2^24.
|
||||
if (size < (1u << 24u)) {
|
||||
uint32_t size32 = static_cast<uint32_t>(size);
|
||||
return base::bits::IsPowerOfTwo(size32);
|
||||
}
|
||||
// Enforce multiple of 2^24 for sizes >= 2^24
|
||||
if ((size % (1u << 24u)) != 0) return false;
|
||||
// All checks passed!
|
||||
return true;
|
||||
}
|
||||
} // namespace
|
||||
|
||||
MaybeHandle<Object> AsmJs::InstantiateAsmWasm(Isolate* isolate,
|
||||
Handle<SharedFunctionInfo> shared,
|
||||
Handle<FixedArray> wasm_data,
|
||||
@ -392,9 +369,15 @@ MaybeHandle<Object> AsmJs::InstantiateAsmWasm(Isolate* isolate,
|
||||
}
|
||||
memory->set_is_growable(false);
|
||||
size_t size = NumberToSize(memory->byte_length());
|
||||
// Check the asm.js heap size against the valid limits.
|
||||
if (!IsValidAsmjsMemorySize(size)) {
|
||||
ReportInstantiationFailure(script, position, "Invalid heap size");
|
||||
// TODO(mstarzinger): We currently only limit byte length of the buffer to
|
||||
// be a multiple of 8, we should enforce the stricter spec limits here.
|
||||
if (size % FixedTypedArrayBase::kMaxElementSize != 0) {
|
||||
ReportInstantiationFailure(script, position, "Unexpected heap size");
|
||||
return MaybeHandle<Object>();
|
||||
}
|
||||
// Currently WebAssembly only supports heap sizes within the uint32_t range.
|
||||
if (size > std::numeric_limits<uint32_t>::max()) {
|
||||
ReportInstantiationFailure(script, position, "Unexpected heap size");
|
||||
return MaybeHandle<Object>();
|
||||
}
|
||||
} else {
|
||||
|
||||
@ -26423,7 +26423,7 @@ TEST(TurboAsmDisablesNeuter) {
|
||||
" function load() { return MEM32[0] | 0; }"
|
||||
" return { load: load };"
|
||||
"}"
|
||||
"var buffer = new ArrayBuffer(4096);"
|
||||
"var buffer = new ArrayBuffer(1024);"
|
||||
"var module = Module(this, {}, buffer);"
|
||||
"%OptimizeFunctionOnNextCall(module.load);"
|
||||
"module.load();"
|
||||
@ -26439,7 +26439,7 @@ TEST(TurboAsmDisablesNeuter) {
|
||||
" function store() { MEM32[0] = 0; }"
|
||||
" return { store: store };"
|
||||
"}"
|
||||
"var buffer = new ArrayBuffer(4096);"
|
||||
"var buffer = new ArrayBuffer(1024);"
|
||||
"var module = Module(this, {}, buffer);"
|
||||
"%OptimizeFunctionOnNextCall(module.store);"
|
||||
"module.store();"
|
||||
|
||||
@ -2,4 +2,4 @@
|
||||
# Use of this source code is governed by a BSD-style license that can be
|
||||
# found in the LICENSE file.
|
||||
|
||||
*%(basename)s:7: Linking failure in asm.js: Invalid heap size
|
||||
*%(basename)s:7: Linking failure in asm.js: Unexpected heap size
|
||||
|
||||
@ -1,99 +0,0 @@
|
||||
// Copyright 2018 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
// Flags: --validate-asm --allow-natives-syntax --expose-gc
|
||||
|
||||
let gCounter = 1000;
|
||||
let gMinHeap = new ArrayBuffer(1 << 12);
|
||||
let gStdlib = {Uint8Array: Uint8Array};
|
||||
|
||||
// The template of asm.js modules used in this test.
|
||||
function Template(stdlib, ffi, heap) {
|
||||
"use asm";
|
||||
var MEM8 = new stdlib.Uint8Array(heap);
|
||||
function foo() { return VAL; }
|
||||
return { foo: foo };
|
||||
}
|
||||
|
||||
// Create a fresh module each time.
|
||||
function NewModule() {
|
||||
// Use eval() to get a unique module each time.
|
||||
let val = gCounter++;
|
||||
let string = (Template + "; Template").replace("VAL", "" + val);
|
||||
// print(string);
|
||||
let module = eval(string);
|
||||
// print(module);
|
||||
module(gStdlib, {}, gMinHeap);
|
||||
assertTrue(%IsAsmWasmCode(module));
|
||||
return {module: module, val: val};
|
||||
}
|
||||
|
||||
(function TestValid_PowerOfTwo() {
|
||||
print("TestValid_PowerOfTwo...");
|
||||
let r = NewModule();
|
||||
for (let i = 12; i <= 24; i++) {
|
||||
gc(); // Likely OOM otherwise.
|
||||
let size = 1 << i;
|
||||
print(" size=" + size);
|
||||
let heap = new ArrayBuffer(size);
|
||||
var instance = r.module(gStdlib, {}, heap);
|
||||
assertTrue(%IsAsmWasmCode(r.module));
|
||||
assertEquals(r.val, instance.foo());
|
||||
}
|
||||
})();
|
||||
|
||||
(function TestValid_Multiple() {
|
||||
print("TestValid_Multiple...");
|
||||
let r = NewModule();
|
||||
for (let i = 1; i < 47; i += 7) {
|
||||
gc(); // Likely OOM otherwise.
|
||||
let size = i * (1 << 24);
|
||||
print(" size=" + size);
|
||||
let heap = new ArrayBuffer(size);
|
||||
var instance = r.module(gStdlib, {}, heap);
|
||||
assertTrue(%IsAsmWasmCode(r.module));
|
||||
assertEquals(r.val, instance.foo());
|
||||
}
|
||||
})();
|
||||
|
||||
(function TestInvalid_TooSmall() {
|
||||
print("TestInvalid_TooSmall...");
|
||||
for (let i = 1; i < 12; i++) {
|
||||
let size = 1 << i;
|
||||
print(" size=" + size);
|
||||
let r = NewModule();
|
||||
let heap = new ArrayBuffer(size);
|
||||
var instance = r.module(gStdlib, {}, heap);
|
||||
assertFalse(%IsAsmWasmCode(r.module));
|
||||
assertEquals(r.val, instance.foo());
|
||||
}
|
||||
})();
|
||||
|
||||
(function TestInValid_NonPowerOfTwo() {
|
||||
print("TestInvalid_NonPowerOfTwo...");
|
||||
for (let i = 12; i <= 24; i++) {
|
||||
gc(); // Likely OOM otherwise.
|
||||
let size = 1 + (1 << i);
|
||||
print(" size=" + size);
|
||||
let r = NewModule();
|
||||
let heap = new ArrayBuffer(size);
|
||||
var instance = r.module(gStdlib, {}, heap);
|
||||
assertFalse(%IsAsmWasmCode(r.module));
|
||||
assertEquals(r.val, instance.foo());
|
||||
}
|
||||
})();
|
||||
|
||||
(function TestInValid_NonMultiple() {
|
||||
print("TestInvalid_NonMultiple...");
|
||||
for (let i = (1 << 24); i < (1 << 25); i += (1 << 22)) {
|
||||
gc(); // Likely OOM otherwise.
|
||||
let size = i + (1 << 20);
|
||||
print(" size=" + size);
|
||||
let r = NewModule();
|
||||
let heap = new ArrayBuffer(size);
|
||||
var instance = r.module(gStdlib, {}, heap);
|
||||
assertFalse(%IsAsmWasmCode(r.module));
|
||||
assertEquals(r.val, instance.foo());
|
||||
}
|
||||
})();
|
||||
@ -154,9 +154,6 @@
|
||||
'asm/poppler/*': [PASS, SLOW, NO_VARIANTS],
|
||||
'asm/sqlite3/*': [PASS, SLOW, NO_VARIANTS],
|
||||
|
||||
# OOM flakes in isolates tests because too many largish heaps are created.
|
||||
'asm/asm-heap': [PASS, NO_VARIANTS, ['isolates', SKIP]],
|
||||
|
||||
# Slow tests.
|
||||
'copy-on-write-assert': [PASS, SLOW],
|
||||
'es6/typedarray-construct-offset-not-smi': [PASS, SLOW],
|
||||
|
||||
@ -4,8 +4,6 @@
|
||||
|
||||
// Flags: --allow-natives-syntax
|
||||
|
||||
let kMinHeapSize = 4096;
|
||||
|
||||
(function TestLeftRight() {
|
||||
function Module(stdlib, foreign, heap) {
|
||||
"use asm";
|
||||
@ -16,7 +14,7 @@ let kMinHeapSize = 4096;
|
||||
}
|
||||
return { f:f }
|
||||
}
|
||||
var buffer = new ArrayBuffer(kMinHeapSize);
|
||||
var buffer = new ArrayBuffer(1024);
|
||||
var module = new Module(this, {}, buffer);
|
||||
assertTrue(%IsAsmWasmCode(Module));
|
||||
new Int32Array(buffer)[42] = 23;
|
||||
@ -33,7 +31,7 @@ let kMinHeapSize = 4096;
|
||||
}
|
||||
return { f:f }
|
||||
}
|
||||
var buffer = new ArrayBuffer(kMinHeapSize);
|
||||
var buffer = new ArrayBuffer(1024);
|
||||
var module = new Module(this, {}, buffer)
|
||||
assertTrue(%IsAsmWasmCode(Module));
|
||||
new Int32Array(buffer)[42 >> 4] = 23;
|
||||
@ -50,7 +48,7 @@ let kMinHeapSize = 4096;
|
||||
}
|
||||
return { f:f }
|
||||
}
|
||||
var buffer = new ArrayBuffer(kMinHeapSize);
|
||||
var buffer = new ArrayBuffer(1024);
|
||||
var module = new Module(this, {}, buffer)
|
||||
assertFalse(%IsAsmWasmCode(Module));
|
||||
new Int32Array(buffer)[42 & 0xfc] = 23;
|
||||
@ -67,7 +65,7 @@ let kMinHeapSize = 4096;
|
||||
}
|
||||
return { f:f }
|
||||
}
|
||||
var buffer = new ArrayBuffer(kMinHeapSize);
|
||||
var buffer = new ArrayBuffer(1024);
|
||||
var module = new Module(this, {}, buffer)
|
||||
assertFalse(%IsAsmWasmCode(Module));
|
||||
new Int32Array(buffer)[42 >> 3] = 23;
|
||||
@ -84,7 +82,7 @@ let kMinHeapSize = 4096;
|
||||
}
|
||||
return { f:f }
|
||||
}
|
||||
var buffer = new ArrayBuffer(kMinHeapSize);
|
||||
var buffer = new ArrayBuffer(1024);
|
||||
var module = new Module(this, {}, buffer)
|
||||
assertFalse(%IsAsmWasmCode(Module));
|
||||
new Int32Array(buffer)[42 << 2] = 23;
|
||||
|
||||
@ -13,7 +13,7 @@ function Module(stdlib, env, heap) {
|
||||
return { f: f };
|
||||
}
|
||||
function instantiate() {
|
||||
var buffer = new ArrayBuffer(4096);
|
||||
var buffer = new ArrayBuffer(0);
|
||||
Module(this, {}, buffer).f();
|
||||
try {} finally {}
|
||||
gc();
|
||||
|
||||
@ -16,7 +16,7 @@ function module(stdlib,foreign,buffer) {
|
||||
|
||||
var global = {Uint32Array:Uint32Array};
|
||||
var env = {};
|
||||
memory = new WebAssembly.Memory({initial:128});
|
||||
memory = new WebAssembly.Memory({initial:200});
|
||||
var buffer = memory.buffer;
|
||||
evil_f = module(global,env,buffer);
|
||||
|
||||
|
||||
@ -1,50 +0,0 @@
|
||||
// Copyright 2018 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
(function DoTest() {
|
||||
|
||||
var stdlib = this;
|
||||
try {
|
||||
var buffer = new ArrayBuffer((2097120) * 1024);
|
||||
} catch (e) {
|
||||
// Out of memory: soft pass because 2GiB is actually a lot!
|
||||
print("OOM: soft pass");
|
||||
return;
|
||||
}
|
||||
var foreign = {}
|
||||
|
||||
var m = (function Module(stdlib, foreign, heap) {
|
||||
"use asm";
|
||||
var MEM16 = new stdlib.Int16Array(heap);
|
||||
function load(i) {
|
||||
i = i|0;
|
||||
i = MEM16[i >> 1]|0;
|
||||
return i | 0;
|
||||
}
|
||||
function store(i, v) {
|
||||
i = i|0;
|
||||
v = v|0;
|
||||
MEM16[i >> 1] = v;
|
||||
}
|
||||
function load8(i) {
|
||||
i = i|0;
|
||||
i = MEM16[i + 8 >> 1]|0;
|
||||
return i | 0;
|
||||
}
|
||||
function store8(i, v) {
|
||||
i = i|0;
|
||||
v = v|0;
|
||||
MEM16[i + 8 >> 1] = v;
|
||||
}
|
||||
return { load: load, store: store, load8: load8, store8: store8 };
|
||||
})(stdlib, foreign, buffer);
|
||||
|
||||
assertEquals(0, m.load(-8));
|
||||
assertEquals(0, m.load8(-16));
|
||||
m.store(2014, 2, 30, 1, 0);
|
||||
assertEquals(0, m.load8(-8));
|
||||
m.store8(-8, 99);
|
||||
assertEquals(99, m.load(0));
|
||||
assertEquals(99, m.load8(-8));
|
||||
})();
|
||||
@ -5,7 +5,6 @@
|
||||
// Flags: --validate-asm --allow-natives-syntax
|
||||
|
||||
var stdlib = this;
|
||||
let kMinHeapSize = 4096;
|
||||
|
||||
function assertValidAsm(func) {
|
||||
assertTrue(%IsAsmWasmCode(func), "must be valid asm code");
|
||||
@ -14,7 +13,7 @@ function assertValidAsm(func) {
|
||||
function assertWasm(expected, func, ffi) {
|
||||
print("Testing " + func.name + "...");
|
||||
assertEquals(
|
||||
expected, func(stdlib, ffi, new ArrayBuffer(kMinHeapSize)).caller());
|
||||
expected, func(stdlib, ffi, new ArrayBuffer(1024)).caller());
|
||||
assertValidAsm(func);
|
||||
}
|
||||
|
||||
@ -39,7 +38,7 @@ assertWasm(7, TestInt32HeapAccess);
|
||||
|
||||
|
||||
function TestInt32HeapAccessExternal() {
|
||||
var memory = new ArrayBuffer(kMinHeapSize);
|
||||
var memory = new ArrayBuffer(1024);
|
||||
var memory_int32 = new Int32Array(memory);
|
||||
var module_decl = eval('(' + TestInt32HeapAccess.toString() + ')');
|
||||
var module = module_decl(stdlib, null, memory);
|
||||
@ -64,7 +63,7 @@ function TestHeapAccessIntTypes() {
|
||||
var code = TestInt32HeapAccess.toString();
|
||||
code = code.replace('Int32Array', types[i][1]);
|
||||
code = code.replace(/>> 2/g, types[i][2]);
|
||||
var memory = new ArrayBuffer(kMinHeapSize);
|
||||
var memory = new ArrayBuffer(1024);
|
||||
var memory_view = new types[i][0](memory);
|
||||
var module_decl = eval('(' + code + ')');
|
||||
var module = module_decl(stdlib, null, memory);
|
||||
@ -103,7 +102,7 @@ assertWasm(1, TestFloatHeapAccess);
|
||||
|
||||
|
||||
function TestFloatHeapAccessExternal() {
|
||||
var memory = new ArrayBuffer(kMinHeapSize);
|
||||
var memory = new ArrayBuffer(1024);
|
||||
var memory_float64 = new Float64Array(memory);
|
||||
var module_decl = eval('(' + TestFloatHeapAccess.toString() + ')');
|
||||
var module = module_decl(stdlib, null, memory);
|
||||
@ -147,7 +146,7 @@ TestFloatHeapAccessExternal();
|
||||
return {load: load, iload: iload, store: store, storeb: storeb};
|
||||
}
|
||||
|
||||
var memory = new ArrayBuffer(kMinHeapSize);
|
||||
var memory = new ArrayBuffer(1024);
|
||||
var module_decl = eval('(' + TestByteHeapAccessCompat.toString() + ')');
|
||||
var m = module_decl(stdlib, null, memory);
|
||||
assertValidAsm(module_decl);
|
||||
|
||||
@ -5,7 +5,6 @@
|
||||
// Flags: --validate-asm --allow-natives-syntax
|
||||
|
||||
var stdlib = this;
|
||||
let kMinHeapSize = 4096;
|
||||
|
||||
function assertValidAsm(func) {
|
||||
assertTrue(%IsAsmWasmCode(func), "must be valid asm code");
|
||||
@ -14,7 +13,7 @@ function assertValidAsm(func) {
|
||||
function assertWasm(expected, func, ffi) {
|
||||
print("Testing " + func.name + "...");
|
||||
assertEquals(
|
||||
expected, func(stdlib, ffi, new ArrayBuffer(kMinHeapSize)).caller());
|
||||
expected, func(stdlib, ffi, new ArrayBuffer(1024)).caller());
|
||||
assertValidAsm(func);
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user