Revert of [wasm] Remove improper assembler check for grow memory. (patchset #2...

Revert of [wasm] Remove improper assembler check for grow memory. (patchset #2 id:20001 of https://codereview.chromium.org/2376153003/ ) Reason for revert: grow-memory test now fails on Linux dbg, blocking the CQ: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/11217 Original issue's description: > [wasm] Remove improper assembler check for grow memory. > > Note that the offset can still be out of bounds, even after grow memory. The calculation of the remaining size can overflow. > > R=gdeepti@chromium.org > BUG=chromium:644670 > > Committed: https://crrev.com/e6071a9c067e07304329250e040b652fb82e9b5e > Cr-Commit-Position: refs/heads/master@{#39886} TBR=gdeepti@chromium.org,titzer@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:644670 Review-Url: https://codereview.chromium.org/2378973003 Cr-Commit-Position: refs/heads/master@{#39889}

Revert of [wasm] Remove improper assembler check for grow memory. (patchset #2...
Revert of [wasm] Remove improper assembler check for grow memory. (patchset #2 id:20001 of https://codereview.chromium.org/2376153003/ ) Reason for revert: grow-memory test now fails on Linux dbg, blocking the CQ: https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20debug/builds/11217 Original issue's description: > [wasm] Remove improper assembler check for grow memory. > > Note that the offset can still be out of bounds, even after grow memory. The calculation of the remaining size can overflow. > > R=gdeepti@chromium.org > BUG=chromium:644670 > > Committed: https://crrev.com/e6071a9c067e07304329250e040b652fb82e9b5e > Cr-Commit-Position: refs/heads/master@{#39886} TBR=gdeepti@chromium.org,titzer@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:644670 Review-Url: https://codereview.chromium.org/2378973003 Cr-Commit-Position: refs/heads/master@{#39889}
a2a9b4a7 · adamk · Commit bot · cceaa122 · a2a9b4a7 · a2a9b4a7
Commit a2a9b4a7 authored Sep 29, 2016 by adamk Committed by Commit bot Sep 29, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 25 deletions

assembler.cc src/assembler.cc +2 -0

grow-memory.js test/mjsunit/wasm/grow-memory.js +1 -25

No files found.
--- a/src/assembler.cc
+++ b/src/assembler.cc
@@ -351,7 +351,9 @@ void RelocInfo::update_wasm_memory_reference(
                                           icache_flush_mode);
  } else if (IsWasmMemorySizeReference(rmode_)) {
    uint32_t current_size_reference = wasm_memory_size_reference();
+    DCHECK(old_size == 0 || current_size_reference <= old_size);
    uint32_t offset = old_size - current_size_reference;
+    DCHECK_GE(new_size, offset);
    uint32_t updated_size_reference = new_size - offset;
    unchecked_update_wasm_memory_size(updated_size_reference,
                                      icache_flush_mode);

--- a/test/mjsunit/wasm/grow-memory.js
+++ b/test/mjsunit/wasm/grow-memory.js
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
-// Flags: --expose-wasm --stress-compaction
+// Flags: --expose-wasm --expose-gc --stress-compaction
 load("test/mjsunit/wasm/wasm-constants.js");
 load("test/mjsunit/wasm/wasm-module-builder.js");
@@ -358,27 +358,3 @@ function testGrowMemoryOutOfBoundsOffset() {
 }
 testGrowMemoryOutOfBoundsOffset();
-function testGrowMemoryOutOfBoundsOffset2() {
-  var builder = new WasmModuleBuilder();
-  builder.addMemory(16, 128, false);
-  builder.addFunction("main", kSig_v_v)
-    .addBody([
-      kExprI32Const, 20,
-      kExprI32Const, 29,
-      kExprGrowMemory,
-      kExprI32StoreMem, 0, 0xFF, 0xFF, 0xFF, 0x3a
-    ])
-    .exportAs("main");
-  var module = builder.instantiate();
-  try {
-    module.exports.main();
-    assertFalse(true);
-  } catch (e) {
-    // should throw OOB
-  }
-}
-testGrowMemoryOutOfBoundsOffset2();