Commit 2f8bb6cd authored by Michael Achenbach's avatar Michael Achenbach Committed by Commit Bot

Revert "[wasm] Check the size of a function body before storing it"

This reverts commit 6c8aed76.

Reason for revert: Breaks some debug bots:
https://build.chromium.org/p/client.v8/builders/V8%20Linux64%20-%20debug/builds/16754
https://build.chromium.org/p/client.v8/builders/V8%20Win64%20-%20debug/builds/17654

Original change's description:
> [wasm] Check the size of a function body before storing it
> 
> We stored the size of a function body before we check that
> these values are valid. This caused a failing DCHECK in the constructor
> of WireBytesRef which checked for integer overflows. With this CL we
> check the size of the function body before we create the WireBytesRef.
> 
> R=​clemensh@chromium.org
> 
> Bug: chromium:738097
> Change-Id: I18f8b628c1499aae9c8e9340ea73c87f19e6f1d7
> Reviewed-on: https://chromium-review.googlesource.com/561000
> Commit-Queue: Andreas Haas <ahaas@chromium.org>
> Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#46442}

TBR=ahaas@chromium.org,clemensh@chromium.org

Change-Id: Ifd533c0dee369c746bc97fea13275ebc09ed5eff
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:738097
Reviewed-on: https://chromium-review.googlesource.com/561517Reviewed-by: 's avatarMichael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46445}
parent 30e9e454
...@@ -665,15 +665,13 @@ class ModuleDecoder : public Decoder { ...@@ -665,15 +665,13 @@ class ModuleDecoder : public Decoder {
errorf(pos, "function body count %u mismatch (%u expected)", errorf(pos, "function body count %u mismatch (%u expected)",
functions_count, module_->num_declared_functions); functions_count, module_->num_declared_functions);
} }
for (uint32_t i = 0; i < functions_count; ++i) { for (uint32_t i = 0; ok() && i < functions_count; ++i) {
WasmFunction* function = WasmFunction* function =
&module_->functions[i + module_->num_imported_functions]; &module_->functions[i + module_->num_imported_functions];
uint32_t size = consume_u32v("body size"); uint32_t size = consume_u32v("body size");
uint32_t offset = pc_offset(); function->code = {pc_offset(), size};
consume_bytes(size, "function body"); consume_bytes(size, "function body");
if (failed()) break; if (ok() && verify_functions) {
function->code = {offset, size};
if (verify_functions) {
ModuleBytesEnv module_env(module_.get(), nullptr, ModuleBytesEnv module_env(module_.get(), nullptr,
ModuleWireBytes(start_, end_)); ModuleWireBytes(start_, end_));
VerifyFunctionBody(module_->signature_zone->allocator(), VerifyFunctionBody(module_->signature_zone->allocator(),
......
...@@ -1347,19 +1347,6 @@ TEST_F(WasmModuleVerifyTest, Regression_648070) { ...@@ -1347,19 +1347,6 @@ TEST_F(WasmModuleVerifyTest, Regression_648070) {
EXPECT_FAILURE(data); EXPECT_FAILURE(data);
} }
TEST_F(WasmModuleVerifyTest, Regression_738097) {
// The function body size caused an integer overflow in the module decoder.
static const byte data[] = {
SIGNATURES_SECTION(1, SIG_ENTRY_v_v), // --
FUNCTION_SIGNATURES_SECTION(1, 0), // --
SECTION(Code, 1 + 5 + 1), // --
1, // --
U32V_5(0xffffffff), // function size,
0 // No real body
};
EXPECT_FAILURE(data);
}
TEST_F(WasmModuleVerifyTest, FunctionBodies_empty) { TEST_F(WasmModuleVerifyTest, FunctionBodies_empty) {
static const byte data[] = { static const byte data[] = {
EMPTY_SIGNATURES_SECTION, // -- EMPTY_SIGNATURES_SECTION, // --
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment