Commit 07387b3d authored by Eric Holk's avatar Eric Holk Committed by Commit Bot

[liftoff] fix statically out of bounds memory access with trap handlers

Change-Id: Idbf76d4fed6d0fe21f4af3df455a2f667942643e
Reviewed-on: https://chromium-review.googlesource.com/976946
Commit-Queue: Eric Holk <eholk@chromium.org>
Reviewed-by: 's avatarClemens Hammacher <clemensh@chromium.org>
Reviewed-by: 's avatarBen Titzer <titzer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52195}
parent c6607911
...@@ -1080,8 +1080,12 @@ class LiftoffCompiler { ...@@ -1080,8 +1080,12 @@ class LiftoffCompiler {
return false; return false;
} }
// TODO(eholk): This adds protected instruction information for the jump
// instruction we are about to generate. It would be better to just not add
// protected instruction info when the pc is 0.
Label* trap_label = AddOutOfLineTrap( Label* trap_label = AddOutOfLineTrap(
decoder->position(), Builtins::kThrowWasmTrapMemOutOfBounds); decoder->position(), Builtins::kThrowWasmTrapMemOutOfBounds,
env_->use_trap_handler ? __ pc_offset() : 0);
if (statically_oob) { if (statically_oob) {
__ emit_jump(trap_label); __ emit_jump(trap_label);
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --liftoff --wasm-trap-handler
// A simple test to make sure Liftoff can compile memory operations with trap
// handlers enabled.
load("test/mjsunit/wasm/wasm-constants.js");
load("test/mjsunit/wasm/wasm-module-builder.js");
function testCompileLoadStore() {
const builder = new WasmModuleBuilder();
// These functions generate statically out of bounds accesses.
builder.addFunction("load", kSig_i_i)
.addBody([kExprGetLocal, 0, kExprI32LoadMem, 0, 0x80, 0x80, 0x80, 1])
.exportFunc();
builder.addFunction("store", kSig_i_ii)
.addBody([kExprGetLocal, 0,
kExprGetLocal, 1,
kExprI32StoreMem, 0, 0x80, 0x80, 0x80, 1,
kExprGetLocal, 1])
.exportFunc();
builder.addMemory(1, 1, false);
const instance = builder.instantiate();
}
testCompileLoadStore();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment