[wasm][asm2wasm] Fixes a bug in 8-bit heap view accesses.

The bug was caused when validating expressions X >> 0 for indexing into 8-bit heap views. If X was not an intish, the 'normal' validation path would fail. That, however, left the type of X registered in the AsmTyper::node_types_ member. Later, in the 'lenient' code path for 8-bit views, the entire X >> 0 expression would be validated, which would cause X to be validated again, at which point AsmTyper::SetTypeOf() would DCHECK because the supplied node already had a type associated with it. The fix was to simply FAIL() when X is not an intish. This is safe because if X is not an intish, then Validate(>>, !intish, FixNum) will also fail. BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=628803 BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203 TEST= cctest/asmjs/test-asm-typer.cc LOG= N Review-Url: https://codereview.chromium.org/2181723002 Cr-Commit-Position: refs/heads/master@{#38053}

[wasm][asm2wasm] Fixes a bug in 8-bit heap view accesses.
The bug was caused when validating expressions X >> 0 for indexing into 8-bit heap views. If X was not an intish, the 'normal' validation path would fail. That, however, left the type of X registered in the AsmTyper::node_types_ member. Later, in the 'lenient' code path for 8-bit views, the entire X >> 0 expression would be validated, which would cause X to be validated again, at which point AsmTyper::SetTypeOf() would DCHECK because the supplied node already had a type associated with it. The fix was to simply FAIL() when X is not an intish. This is safe because if X is not an intish, then Validate(>>, !intish, FixNum) will also fail. BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=628803 BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203 TEST= cctest/asmjs/test-asm-typer.cc LOG= N Review-Url: https://codereview.chromium.org/2181723002 Cr-Commit-Position: refs/heads/master@{#38053}
060d984c · jpp · Commit bot · 94606a88 · 060d984c · 060d984c
Commit 060d984c authored Jul 26, 2016 by jpp Committed by Commit bot Jul 26, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 3 deletions

asm-typer.cc src/asmjs/asm-typer.cc +1 -3

test-asm-typer.cc test/cctest/asmjs/test-asm-typer.cc +30 -0

No files found.
--- a/src/asmjs/asm-typer.cc
+++ b/src/asmjs/asm-typer.cc
@@ -2462,9 +2462,7 @@ AsmType* AsmTyper::ValidateHeapAccess(Property* heap,
        }
        return obj_type->StoreType();
      }
-      // TODO(jpp): it may be the case that, if type is not an Intish, we could
-      // fail here instead of letting the validator try using the "leniency"
-      // rule (i.e., allow unshifted indexes for heap views of 8-bit integers.
+      FAIL(key_as_binop, "Invalid heap access index.");
    }
  }


--- a/test/cctest/asmjs/test-asm-typer.cc
+++ b/test/cctest/asmjs/test-asm-typer.cc
@@ -1908,4 +1908,34 @@ TEST(InvalidSourceLayout) {
  }
 }

+// This issue was triggered because of the "lenient" 8-bit heap access code
+// path. The canonical heap access index validation fails because __34 is not an
+// intish. Then, during the "lenient" code path for accessing elements in 8-bit
+// heap views, the __34 node in the indexing expression would be re-tagged, thus
+// causing the assertion failure.
+TEST(B63099) {
+  const char* kTests[] = {
+      "function __f_109(stdlib, __v_36, buffer) {\n"
+      "  'use asm';\n"
+      "  var __v_34 = new stdlib.Uint8Array(buffer);\n"
+      "  function __f_22() {__v_34[__v_34>>0]|0 + 1 | 0;\n"
+      "  }\n"
+      "}",
+      "function __f_109(stdlib, __v_36, buffer) {\n"
+      "  'use asm';\n"
+      "  var __v_34 = new stdlib.Int8Array(buffer);\n"
+      "  function __f_22() {__v_34[__v_34>>0]|0 + 1 | 0;\n"
+      "  }\n"
+      "}",
+  };
+
+  for (size_t ii = 0; ii < arraysize(kTests); ++ii) {
+    if (!ValidationOf(Module(kTests[ii]))
+             ->FailsWithMessage("Invalid heap access index")) {
+      std::cerr << "Test:\n" << kTests[ii];
+      CHECK(false);
+    }
+  }
+}
+
 }  // namespace