AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[asm.js] Fix bounds check on 64bit systems

Browse Source 
The memory size is always stored as 32 bit value, so the comparison
should always be done in 32 bit space.

R=ahaas@chromium.org

Change-Id: Ic059e63bf1dc9e8bf568dbb5f8d7ccde1da4761a
Reviewed-on: https://chromium-review.googlesource.com/832473
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50187}
This commit is contained in:
Clemens Hammacher 2017-12-19 09:58:55 +01:00 committed by Commit Bot
parent 0621bf4683
commit f4d4292dc1
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/compiler/wasm-compiler.cc
View File

@ -3750,24 +3750,23 @@ Node* WasmGraphBuilder::BuildAsmjsStoreMem(MachineType type, Node* index,
Node* mem_size = context_cache_->mem_size; Node* mem_size = context_cache_->mem_size;
DCHECK_NOT_NULL(mem_start); DCHECK_NOT_NULL(mem_start);
DCHECK_NOT_NULL(mem_size); DCHECK_NOT_NULL(mem_size);
const Operator* cmp_op = jsgraph()->machine()->Uint32LessThan();
if (jsgraph()->machine()->Is64()) {
index =
graph()->NewNode(jsgraph()->machine()->ChangeUint32ToUint64(), index);
cmp_op = jsgraph()->machine()->Uint64LessThan();
}
// Asm.js semantics are to ignore OOB writes. // Asm.js semantics are to ignore OOB writes.
// Note that we check against the memory size ignoring the size of the // Note that we check against the memory size ignoring the size of the
// stored value, which is conservative if misaligned. Technically, asm.js // stored value, which is conservative if misaligned. Technically, asm.js
// should never have misaligned accesses. // should never have misaligned accesses.
Diamond bounds_check(graph(), jsgraph()->common(), Diamond bounds_check(
graph()->NewNode(cmp_op, index, mem_size), graph(), jsgraph()->common(),
BranchHint::kTrue); graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), index, mem_size),
BranchHint::kTrue);
bounds_check.Chain(*control_); bounds_check.Chain(*control_);
const Operator* store_op = jsgraph()->machine()->Store(StoreRepresentation( const Operator* store_op = jsgraph()->machine()->Store(StoreRepresentation(
type.representation(), WriteBarrierKind::kNoWriteBarrier)); type.representation(), WriteBarrierKind::kNoWriteBarrier));
if (jsgraph()->machine()->Is64()) {
index =
graph()->NewNode(jsgraph()->machine()->ChangeUint32ToUint64(), index);
}
Node* store = graph()->NewNode(store_op, mem_start, index, val, *effect_, Node* store = graph()->NewNode(store_op, mem_start, index, val, *effect_,
bounds_check.if_true); bounds_check.if_true);
Node* effect_phi = graph()->NewNode(jsgraph()->common()->EffectPhi(2), store, Node* effect_phi = graph()->NewNode(jsgraph()->common()->EffectPhi(2), store,