[wasm] Always trap for memory accesses with offset=uint32_max.

We handle this case specially because otherwise we would have to do complicated overflow detection. R=titzer@chromium.org TEST=cctest/test-run-wasm/RunWasmCompiled_LoadMaxUint32Offset Review-Url: https://codereview.chromium.org/2490533003 Cr-Commit-Position: refs/heads/master@{#40844}

[wasm] Always trap for memory accesses with offset=uint32_max.
We handle this case specially because otherwise we would have to do complicated overflow detection. R=titzer@chromium.org TEST=cctest/test-run-wasm/RunWasmCompiled_LoadMaxUint32Offset Review-Url: https://codereview.chromium.org/2490533003 Cr-Commit-Position: refs/heads/master@{#40844}
387817f5 · ahaas · Commit bot · 5329399a · 387817f5 · 387817f5
Commit 387817f5 authored Nov 08, 2016 by ahaas Committed by Commit bot Nov 08, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 1 deletion

wasm-compiler.cc src/compiler/wasm-compiler.cc +11 -1

test-run-wasm.cc test/cctest/wasm/test-run-wasm.cc +14 -0

No files found.
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -2912,7 +2912,17 @@ void WasmGraphBuilder::BoundsCheckMem(MachineType memtype, Node* index,
    // out of bounds; one check for the offset being in bounds, and the next for
    // the offset + index being out of bounds for code to be patched correctly
    // on relocation.
-    size_t effective_offset = offset + memsize - 1;
+
+    // Check for overflows.
+    if ((std::numeric_limits<uint32_t>::max() - memsize) + 1 < offset) {
+      // Always trap. Do not use TrapAlways because it does not create a valid
+      // graph here.
+      trap_->TrapIfEq32(wasm::kTrapMemOutOfBounds, jsgraph()->Int32Constant(0),
+                        0, position);
+      return;
+    }
+    size_t effective_offset = (offset - 1) + memsize;
+
    Node* cond = graph()->NewNode(jsgraph()->machine()->Uint32LessThan(),
                                  jsgraph()->IntPtrConstant(effective_offset),
                                  jsgraph()->RelocatableInt32Constant(

--- a/test/cctest/wasm/test-run-wasm.cc
+++ b/test/cctest/wasm/test-run-wasm.cc
@@ -1109,6 +1109,20 @@ WASM_EXEC_TEST(I32ReinterpretF32) {
  }
 }

+WASM_EXEC_TEST(LoadMaxUint32Offset) {
+  TestingModule module(execution_mode);
+  module.AddMemoryElems<int32_t>(8);
+  WasmRunner<int32_t> r(&module);
+
+  BUILD(r, kExprI8Const, 0,  // index
+        static_cast<byte>(v8::internal::wasm::WasmOpcodes::LoadStoreOpcodeOf(
+            MachineType::Int32(), false)),  // --
+        0,                                  // alignment
+        U32V_5(0xffffffff));                // offset
+
+  CHECK_TRAP32(r.Call());
+}
+
 WASM_EXEC_TEST(LoadStoreLoad) {
  TestingModule module(execution_mode);
  int32_t* memory = module.AddMemoryElems<int32_t>(8);