[wasm] Add flag to limit module size

Add a new --wasm-max-module-size flag to replace the unused and more specific --experimental-wasm-allow-huge-modules flag. The new flag can be used in fuzzers to reduce the maximum allowed module size, avoiding OOM on some systems (like 32-bit ASan builds). R=ahaas@chromium.org Bug: chromium:1334577 Change-Id: I2830d407c5b01be21a47b21392c1210061c40b20 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695267 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#81102}
2022-06-10 16:27:51 +02:00 · 2022-06-10 16:27:51 +02:00 · dc748570c8
commit dc748570c8
parent 6dafd4a98d
3 changed files with 60 additions and 8 deletions
--- a/src/flags/flag-definitions.h
+++ b/src/flags/flag-definitions.h
@ -983,11 +983,11 @@ DEFINE_BOOL(wasm_async_compilation, true,
 DEFINE_NEG_IMPLICATION(single_threaded, wasm_async_compilation)
 DEFINE_BOOL(wasm_test_streaming, false,
            "use streaming compilation instead of async compilation for tests")
-DEFINE_UINT(wasm_max_mem_pages, v8::internal::wasm::kV8MaxWasmMemoryPages,
+DEFINE_UINT(wasm_max_mem_pages, wasm::kV8MaxWasmMemoryPages,
            "maximum number of 64KiB memory pages per wasm memory")
-DEFINE_UINT(wasm_max_table_size, v8::internal::wasm::kV8MaxWasmTableSize,
+DEFINE_UINT(wasm_max_table_size, wasm::kV8MaxWasmTableSize,
            "maximum table size of a wasm instance")
-DEFINE_UINT(wasm_max_code_space, v8::internal::kMaxWasmCodeMB,
+DEFINE_UINT(wasm_max_code_space, kMaxWasmCodeMB,
            "maximum committed code space for wasm (in MB)")
 DEFINE_BOOL(wasm_tier_up, true,
            "enable tier up to the optimizing compiler (requires --liftoff to "
@ -1145,8 +1145,8 @@ DEFINE_BOOL(stress_wasm_code_gc, false,
 DEFINE_INT(wasm_max_initial_code_space_reservation, 0,
           "maximum size of the initial wasm code space reservation (in MB)")

-DEFINE_BOOL(experimental_wasm_allow_huge_modules, false,
-            "allow wasm modules bigger than 1GB, but below ~2GB")
+DEFINE_SIZE_T(wasm_max_module_size, wasm::kV8MaxWasmModuleSize,
+              "maximum allowed size of wasm modules")

 DEFINE_BOOL(trace_wasm, false, "trace wasm function calls")

--- a/src/wasm/wasm-engine.cc
+++ b/src/wasm/wasm-engine.cc
@ -1658,9 +1658,11 @@ uint32_t max_table_init_entries() {

 // {max_module_size} is declared in wasm-limits.h.
 size_t max_module_size() {
-  return FLAG_experimental_wasm_allow_huge_modules
-             ? RoundDown<kSystemPointerSize>(size_t{kMaxInt})
-             : kV8MaxWasmModuleSize;
+  // Clamp the value of --wasm-max-module-size between 16 and just below 2GB.
+  constexpr size_t kMin = 16;
+  constexpr size_t kMax = RoundDown<kSystemPointerSize>(size_t{kMaxInt});
+  static_assert(kMin <= kV8MaxWasmModuleSize && kV8MaxWasmModuleSize <= kMax);
+  return std::clamp(FLAG_wasm_max_module_size.value(), kMin, kMax);
 }

 #undef TRACE_CODE_GC
--- a/test/mjsunit/wasm/max-module-size-flag.js
+++ b/test/mjsunit/wasm/max-module-size-flag.js
@ -0,0 +1,50 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-max-module-size=128
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+let small_binary = (() => {
+  let builder = new WasmModuleBuilder();
+  builder.addFunction('f', kSig_v_v).addBody(new Array(32).fill(kExprNop));
+  return builder.toBuffer();
+})();
+
+let big_binary = (() => {
+  let builder = new WasmModuleBuilder();
+  builder.addFunction('f', kSig_v_v).addBody(new Array(128).fill(kExprNop));
+  return builder.toBuffer();
+})();
+
+// Check that the sizes of the generated modules are within the expected ranges.
+assertTrue(small_binary.length > 64);
+assertTrue(small_binary.length < 128);
+assertTrue(big_binary.length > 128);
+assertTrue(big_binary.length < 256);
+
+let big_error_msg =
+    'buffer source exceeds maximum size of 128 (is ' + big_binary.length + ')';
+
+(function TestSyncSmallModule() {
+  let sync_small_module = new WebAssembly.Module(small_binary);
+  assertTrue(sync_small_module instanceof WebAssembly.Module);
+})();
+
+assertPromiseResult((async function TestAsyncSmallModule() {
+  let async_small_module = await WebAssembly.compile(small_binary);
+  assertTrue(async_small_module instanceof WebAssembly.Module);
+})());
+
+(function TestSyncBigModule() {
+  assertThrows(
+      () => new WebAssembly.Module(big_binary), RangeError,
+      'WebAssembly.Module(): ' + big_error_msg);
+})();
+
+(function TestAsyncBigModule() {
+  assertThrowsAsync(
+      WebAssembly.compile(big_binary), RangeError,
+      'WebAssembly.compile(): ' + big_error_msg);
+})();