[wasm] Fix memory limit check with custom flags

Move the recently introduced extra check for 32-bit platforms so that it covers all code paths that would be hit by custom/future memory limit settings. Bug: chromium:1057094 Change-Id: I5e2217a24578ee82c7bfa753b7d5dcd3d00e1b7c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2083300Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#66568}

[wasm] Fix memory limit check with custom flags
Move the recently introduced extra check for 32-bit platforms so that it covers all code paths that would be hit by custom/future memory limit settings. Bug: chromium:1057094 Change-Id: I5e2217a24578ee82c7bfa753b7d5dcd3d00e1b7c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2083300Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#66568}
27538aa3 · Jakob Kummerow · Commit Bot · 5f50b8a3 · 27538aa3 · 27538aa3
Commit 27538aa3 authored Mar 02, 2020 by Jakob Kummerow Committed by Commit Bot Mar 03, 2020
Show whitespace changes
Inline Side-by-side

Showing with 25 additions and 8 deletions

backing-store.cc src/objects/backing-store.cc +11 -8

regress-crbug-1057094.js test/mjsunit/regress/wasm/regress-crbug-1057094.js +14 -0

No files found.
--- a/src/objects/backing-store.cc
+++ b/src/objects/backing-store.cc
@@ -413,6 +413,14 @@ std::unique_ptr<BackingStore> BackingStore::AllocateWasmMemory(
  // Enforce engine limitation on the maximum number of pages.
  if (initial_pages > wasm::kV8MaxWasmMemoryPages) return nullptr;

+  // Trying to allocate 4 GiB on a 32-bit platform is guaranteed to fail.
+  // We don't lower the official max_maximum_mem_pages() limit because that
+  // would be observable upon instantiation; this way the effective limit
+  // on 32-bit platforms is defined by the allocator.
+  constexpr size_t kPlatformMax =
+      std::numeric_limits<size_t>::max() / wasm::kWasmPageSize;
+  if (initial_pages > kPlatformMax) return nullptr;
+
  auto backing_store =
      TryAllocateWasmMemory(isolate, initial_pages, maximum_pages, shared);
  if (!backing_store && maximum_pages > initial_pages) {
@@ -425,14 +433,6 @@ std::unique_ptr<BackingStore> BackingStore::AllocateWasmMemory(

 std::unique_ptr<BackingStore> BackingStore::CopyWasmMemory(Isolate* isolate,
                                                           size_t new_pages) {
-  // Trying to allocate 4 GiB on a 32-bit platform is guaranteed to fail.
-  // We don't lower the official max_maximum_mem_pages() limit because that
-  // would be observable upon instantiation; this way the effective limit
-  // on 32-bit platforms is defined by the allocator.
-  if (new_pages > std::numeric_limits<size_t>::max() / wasm::kWasmPageSize) {
-    return {};
-  }
-  DCHECK_GE(new_pages * wasm::kWasmPageSize, byte_length_);
  // Note that we could allocate uninitialized to save initialization cost here,
  // but since Wasm memories are allocated by the page allocator, the zeroing
  // cost is already built-in.
@@ -447,6 +447,9 @@ std::unique_ptr<BackingStore> BackingStore::CopyWasmMemory(Isolate* isolate,
  }

  if (byte_length_ > 0) {
+    // If the allocation was successful, then the new buffer must be at least
+    // as big as the old one.
+    DCHECK_GE(new_pages * wasm::kWasmPageSize, byte_length_);
    memcpy(new_backing_store->buffer_start(), buffer_start_, byte_length_);
  }


--- a/test/mjsunit/regress/wasm/regress-crbug-1057094.js
+++ b/test/mjsunit/regress/wasm/regress-crbug-1057094.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-max-mem-pages=65536
+
+try {
+  var __v_50189 = new WebAssembly.Memory({
+    initial: 65536
+  });
+} catch (e) {
+  // 32-bit builds will throw a RangeError, that's okay.
+  assertTrue(e instanceof RangeError);
+}