[Liftoff] Fix out of bounds read in lookahead

The lookahead did not check whether there is actually a byte left to be read. So if the i32 comparison was the last byte in the function body, we would read out of memory. This CL fixes that by introducing a separate {lookahead} method which does the proper bounds check and the lookahead. R=jkummerow@chromium.org Bug: chromium:1014834, v8:9831 Change-Id: I6499ae3f2c57d38a8fcb587b99ae4a4a6c70e426 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864939Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64335}

[Liftoff] Fix out of bounds read in lookahead
The lookahead did not check whether there is actually a byte left to be read. So if the i32 comparison was the last byte in the function body, we would read out of memory. This CL fixes that by introducing a separate {lookahead} method which does the proper bounds check and the lookahead. R=jkummerow@chromium.org Bug: chromium:1014834, v8:9831 Change-Id: I6499ae3f2c57d38a8fcb587b99ae4a4a6c70e426 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864939Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64335}
1d6542bb · Clemens Backes · Commit Bot · c38a4a6b · 1d6542bb · 1d6542bb
Commit 1d6542bb authored Oct 16, 2019 by Clemens Backes Committed by Commit Bot Oct 16, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 4 deletions

liftoff-compiler.cc src/wasm/baseline/liftoff-compiler.cc +4 -4

decoder.h src/wasm/decoder.h +6 -0

No files found.
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@@ -829,8 +829,8 @@ class LiftoffCompiler {
      CASE_I64_SIGN_EXTENSION(I64SExtendI16, i64_signextend_i16)
      CASE_I64_SIGN_EXTENSION(I64SExtendI32, i64_signextend_i32)
      case kExprI32Eqz:
-        DCHECK_EQ(kExprI32Eqz, decoder->pc()[0]);
-        if (decoder->pc()[1] == kExprBrIf) {
+        DCHECK(decoder->lookahead(0, kExprI32Eqz));
+        if (decoder->lookahead(1, kExprBrIf)) {
          DCHECK(!has_outstanding_op());
          outstanding_op_ = kExprI32Eqz;
          break;
@@ -984,8 +984,8 @@ class LiftoffCompiler {
        });
 #define CASE_I32_CMPOP(opcode)                                               \
  case kExpr##opcode:                                                        \
-    DCHECK_EQ(kExpr##opcode, decoder->pc()[0]);                              \
-    if (decoder->pc()[1] == kExprBrIf) {                                     \
+    DCHECK(decoder->lookahead(0, kExpr##opcode));                            \
+    if (decoder->lookahead(1, kExprBrIf)) {                                  \
      DCHECK(!has_outstanding_op());                                         \
      outstanding_op_ = kExpr##opcode;                                       \
      break;                                                                 \

--- a/src/wasm/decoder.h
+++ b/src/wasm/decoder.h
@@ -267,6 +267,12 @@ class Decoder {
  }
  const byte* end() const { return end_; }

+  // Check if the byte at {offset} from the current pc equals {expected}.
+  bool lookahead(int offset, byte expected) {
+    DCHECK_LE(pc_, end_);
+    return end_ - pc_ > offset && pc_[offset] == expected;
+  }
+
 protected:
  const byte* start_;
  const byte* pc_;