Commit 1347891d authored by Andreas Haas's avatar Andreas Haas Committed by Commit Bot

Revert "[wasm] Use 64-bit comparison for bounds checks on 64-bit platforms"

This reverts commit 972d460f.

Reason for revert: This CL is not the right solution, and it makes back-merging the right solution more difficult.

Original change's description:
> [wasm] Use 64-bit comparison for bounds checks on 64-bit platforms
> 
> By using 64-bit comparison we make sure that there will be no out of
> memory accesses even if there are stale values in the high word of a
> register.
> 
> R=​titzer@chromium.org
> 
> Change-Id: I2627b15e1598f35cc480d7028031e8de405164ea
> Reviewed-on: https://chromium-review.googlesource.com/721323
> Reviewed-by: Ben Titzer <titzer@chromium.org>
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#48604}

TBR=titzer@chromium.org,ahaas@chromium.org

Change-Id: I0c15e9d8ac72def2e22543a17366126d90a17918
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/721702Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48628}
parent 4fe179cd
...@@ -3405,9 +3405,10 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index, ...@@ -3405,9 +3405,10 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
// The end offset is larger than the smallest memory. // The end offset is larger than the smallest memory.
// Dynamically check the end offset against the actual memory size, which // Dynamically check the end offset against the actual memory size, which
// is not known at compile time. // is not known at compile time.
Node* cond = Node* cond = graph()->NewNode(
graph()->NewNode(jsgraph()->machine()->Uint32LessThanOrEqual(), jsgraph()->machine()->Uint32LessThanOrEqual(),
jsgraph()->Int32Constant(end_offset), *mem_size_); jsgraph()->IntPtrConstant(static_cast<uintptr_t>(end_offset)),
*mem_size_);
TrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position); TrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
} else { } else {
// The end offset is within the bounds of the smallest memory, so only // The end offset is within the bounds of the smallest memory, so only
...@@ -3427,10 +3428,8 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index, ...@@ -3427,10 +3428,8 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
graph()->NewNode(jsgraph()->machine()->Int32Sub(), *mem_size_, graph()->NewNode(jsgraph()->machine()->Int32Sub(), *mem_size_,
jsgraph()->Int32Constant(end_offset - 1)); jsgraph()->Int32Constant(end_offset - 1));
const Operator* less = jsgraph()->machine()->Is32() Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(), index,
? jsgraph()->machine()->Uint32LessThan() effective_size);
: jsgraph()->machine()->Uint64LessThan();
Node* cond = graph()->NewNode(less, index, effective_size);
TrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position); TrapIfFalse(wasm::kTrapMemOutOfBounds, cond, position);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment