[wasm] Increase WebAssembly.Memory maximum size to 2GB

BUG=v8:6478, chromium:729768 R=bradnelson@chromium.org, eholk@chromium.org Review-Url: https://codereview.chromium.org/2903153002 Cr-Original-Commit-Position: refs/heads/master@{#45931} Committed: https://chromium.googlesource.com/v8/v8/+/7e6ed62071d2756688a23bd6dac096b0d4660b5d Review-Url: https://codereview.chromium.org/2903153002 Cr-Commit-Position: refs/heads/master@{#45967}

[wasm] Increase WebAssembly.Memory maximum size to 2GB
BUG=v8:6478, chromium:729768 R=bradnelson@chromium.org, eholk@chromium.org Review-Url: https://codereview.chromium.org/2903153002 Cr-Original-Commit-Position: refs/heads/master@{#45931} Committed: https://chromium.googlesource.com/v8/v8/+/7e6ed62071d2756688a23bd6dac096b0d4660b5d Review-Url: https://codereview.chromium.org/2903153002 Cr-Commit-Position: refs/heads/master@{#45967}
1ff3e7ea · gdeepti · Commit Bot · 431abca0 · 1ff3e7ea · 1ff3e7ea
Commit 1ff3e7ea authored Jun 16, 2017 by gdeepti Committed by Commit Bot Jun 16, 2017
6 changed files
--- a/src/assembler.cc
+++ b/src/assembler.cc
@@ -330,7 +330,6 @@ void RelocInfo::update_wasm_memory_reference(
    Isolate* isolate, Address old_base, Address new_base,
    ICacheFlushMode icache_flush_mode) {
  DCHECK(IsWasmMemoryReference(rmode_));
-  DCHECK_GE(wasm_memory_reference(), old_base);
  Address updated_reference = new_base + (wasm_memory_reference() - old_base);
  // The reference is not checked here but at runtime. Validity of references
  // may change over time.

--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -2899,7 +2899,8 @@ Node* WasmGraphBuilder::MemBuffer(uint32_t offset) {
    return mem_buffer_;
  } else {
    return jsgraph()->RelocatableIntPtrConstant(
-        mem_start + offset, RelocInfo::WASM_MEMORY_REFERENCE);
+        static_cast<uintptr_t>(mem_start + offset),
+        RelocInfo::WASM_MEMORY_REFERENCE);
  }
 }


--- a/src/wasm/wasm-limits.h
+++ b/src/wasm/wasm-limits.h
@@ -22,7 +22,9 @@ constexpr size_t kV8MaxWasmExports = 100000;
 constexpr size_t kV8MaxWasmGlobals = 1000000;
 constexpr size_t kV8MaxWasmDataSegments = 100000;
 // Don't use this limit directly, but use the value of FLAG_wasm_max_mem_pages.
-constexpr size_t kV8MaxWasmMemoryPages = 16384;  // = 1 GiB
+// Current limit mimics the maximum allowed allocation on an ArrayBuffer
+// (2GiB - 1 page).
+constexpr size_t kV8MaxWasmMemoryPages = 32767;  // ~ 2 GiB
 constexpr size_t kV8MaxWasmStringSize = 100000;
 constexpr size_t kV8MaxWasmModuleSize = 1024 * 1024 * 1024;  // = 1 GiB
 constexpr size_t kV8MaxWasmFunctionSize = 128 * 1024;

--- a/test/mjsunit/wasm/grow-memory.js
+++ b/test/mjsunit/wasm/grow-memory.js
@@ -8,7 +8,7 @@ load("test/mjsunit/wasm/wasm-constants.js");
 load("test/mjsunit/wasm/wasm-module-builder.js");

 var kPageSize = 0x10000;
-var kV8MaxPages = 16384;
+var kV8MaxPages = 32767;

 function genGrowMemoryBuilder() {
  var builder = new WasmModuleBuilder();
@@ -298,9 +298,8 @@ function testGrowMemoryTrapMaxPagesZeroInitialMemory() {
  var builder = genGrowMemoryBuilder();
  builder.addMemory(0, kV8MaxPages, false);
  var module = builder.instantiate();
-  var maxPages = 16385;
  function growMem(pages) { return module.exports.grow_memory(pages); }
-  assertEquals(-1, growMem(maxPages));
+  assertEquals(-1, growMem(kV8MaxPages + 1));
 }

 testGrowMemoryTrapMaxPagesZeroInitialMemory();
@@ -309,9 +308,8 @@ function testGrowMemoryTrapMaxPages() {
  var builder = genGrowMemoryBuilder();
  builder.addMemory(1, 1, false);
  var module = builder.instantiate();
-  var maxPages = 16384;
  function growMem(pages) { return module.exports.grow_memory(pages); }
-  assertEquals(-1, growMem(maxPages));
+  assertEquals(-1, growMem(kV8MaxPages));
 }

 testGrowMemoryTrapMaxPages();
@@ -493,3 +491,54 @@ function testGrowMemoryDeclaredSpecMaxTraps() {
 }

 testGrowMemoryDeclaredSpecMaxTraps();
+
+function testGrowMemory2Gb() {
+  print("testGrowMemory2Gb");
+  var builder = genGrowMemoryBuilder();
+  builder.addMemory(1, kV8MaxPages, false);
+  var module = builder.instantiate();
+  var offset, val;
+  function peek() { return module.exports.load(offset); }
+  function poke(value) { return module.exports.store(offset, value); }
+  function growMem(pages) { return module.exports.grow_memory(pages); }
+
+  for(offset = 0; offset <= (kPageSize - 4); offset+=4) {
+    poke(100000 - offset);
+    assertEquals(100000 - offset, peek());
+  }
+
+  let result = growMem(kV8MaxPages - 1);
+  if (result == 1 ){
+    for(offset = 0; offset <= (kPageSize - 4); offset+=4) {
+      assertEquals(100000 - offset, peek());
+    }
+
+    // Bounds check for large mem size
+    for(offset = (kV8MaxPages - 1) * kPageSize;
+        offset <= (kV8MaxPages * kPageSize - 4); offset+=4) {
+      poke(0xaced);
+      assertEquals(0xaced, peek());
+    }
+
+    for (offset = kV8MaxPages * kPageSize - 3;
+        offset <= kV8MaxPages * kPageSize + 4; offset++) {
+      assertTraps(kTrapMemOutOfBounds, poke);
+    }
+
+    // Check traps around 3GB/4GB boundaries
+    let offset_3gb = 49152 * kPageSize;
+    let offset_4gb = 2 * kV8MaxPages * kPageSize;
+    for (offset = offset_3gb - 5; offset < offset_3gb + 4; offset++) {
+      assertTraps(kTrapMemOutOfBounds, poke);
+    }
+    for (offset = offset_4gb - 5; offset < offset_4gb; offset++) {
+      assertTraps(kTrapMemOutOfBounds, poke);
+    }
+  } else {
+    // Allocating big chunks of memory can fail on gc_stress, especially on 32
+    // bit platforms. When grow_memory fails, expected result is -1.
+    assertEquals(-1, result);
+  }
+}
+
+testGrowMemory2Gb();
--- a/test/mjsunit/wasm/import-memory.js
+++ b/test/mjsunit/wasm/import-memory.js
@@ -149,6 +149,7 @@ load("test/mjsunit/wasm/wasm-module-builder.js");

 (function TestGrowMemoryZeroInitialMemory() {
  print("ZeroInitialMemory");
+  let kV8MaxPages = 32767;
  let memory = new WebAssembly.Memory({initial: 0});
  assertEquals(0, memory.buffer.byteLength);
  let i32 = new Int32Array(memory.buffer);
@@ -176,7 +177,7 @@ load("test/mjsunit/wasm/wasm-module-builder.js");
  for (offset = 5 * kPageSize; offset < 5 * kPageSize + 4; offset++) {
    assertThrows(load);
  }
-  assertThrows(() => memory.grow(16381));
+  assertThrows(() => memory.grow(kV8MaxPages - 3));
 })();

 (function ImportedMemoryBufferLength() {

--- a/test/mjsunit/wasm/large-offset.js
+++ b/test/mjsunit/wasm/large-offset.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+function testGrowMemoryOutOfBoundsOffset() {
+  print("testGrowMemoryOutOfBoundsOffset2");
+  var builder = new WasmModuleBuilder();
+  builder.addMemory(16, 128, false);
+  builder.addFunction("main", kSig_v_v)
+      .addBody([
+          kExprI32Const, 20,
+          kExprI32Const, 29,
+          kExprGrowMemory, kMemoryZero,
+          // Assembly equivalent Move <reg>,0xf5fffff
+          // with wasm memory reference relocation information
+          kExprI32StoreMem, 0, 0xFF, 0xFF, 0xFF, 0x7A
+          ])
+      .exportAs("main");
+  var module = builder.instantiate();
+  assertTraps(kTrapMemOutOfBounds, module.exports.main);
+}
+
+testGrowMemoryOutOfBoundsOffset();