Revert "[asmjs] Properly validate asm.js heap sizes"

This reverts commit 5d69010e.

Reason for revert: New test fails on ARM GC stress bot - https://ci.chromium.org/p/v8/builders/luci.v8.ci/V8%20Arm%20GC%20Stress/8054

Original change's description:
> [asmjs] Properly validate asm.js heap sizes
> 
> Enforce both engine limitations and spec (http://asmjs.org/spec/latest/)
> limitations on the size of asm.js heaps.
> 
> R=​clemensh@chromium.org
> CC=​​mstarzinger@chromium.org
> 
> Bug: chromium:873600
> Change-Id: I104c23bbd0a9a7c494f97f8f9e83ac5a37496dfd
> Reviewed-on: https://chromium-review.googlesource.com/1174411
> Commit-Queue: Ben Titzer <titzer@chromium.org>
> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55163}

TBR=mstarzinger@chromium.org,titzer@chromium.org,clemensh@chromium.org

Change-Id: I95ca5306a495bfc0f78d7a29f5d6269fc9c0bdfa
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: chromium:873600
Reviewed-on: https://chromium-review.googlesource.com/1178141Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55173}

src/asmjs/asm-js.cc

@@ -23,7 +23,6 @@
 
 #include "src/wasm/wasm-engine.h"
 #include "src/wasm/wasm-js.h"
-#include "src/wasm/wasm-limits.h"
 #include "src/wasm/wasm-module-builder.h"
 #include "src/wasm/wasm-objects-inl.h"
 #include "src/wasm/wasm-result.h"
@@ -330,28 +329,6 @@ UnoptimizedCompilationJob* AsmJs::NewCompilationJob(
   return new AsmJsCompilationJob(parse_info, literal, allocator);
 }
 
-namespace {
-inline bool IsValidAsmjsMemorySize(size_t size) {
-  // Enforce asm.js spec minimum size.
-  if (size < (1u << 12u)) return false;
-  // Enforce engine-limited maximum allocation size.
-  if (size > wasm::kV8MaxWasmMemoryBytes) return false;
-  // Enforce flag-limited maximum allocation size.
-  if (size > (FLAG_wasm_max_mem_pages * uint64_t{wasm::kWasmPageSize})) {
-    return false;
-  }
-  // Enforce power-of-2 sizes for 2^12 - 2^24.
-  if (size < (1u << 24u)) {
-    uint32_t size32 = static_cast<uint32_t>(size);
-    return base::bits::IsPowerOfTwo(size32);
-  }
-  // Enforce multiple of 2^24 for sizes >= 2^24
-  if ((size % (1u << 24u)) != 0) return false;
-  // All checks passed!
-  return true;
-}
-}  // namespace
-
 MaybeHandle<Object> AsmJs::InstantiateAsmWasm(Isolate* isolate,
                                               Handle<SharedFunctionInfo> shared,
                                               Handle<FixedArray> wasm_data,
@@ -392,9 +369,15 @@ MaybeHandle<Object> AsmJs::InstantiateAsmWasm(Isolate* isolate,
     }
     memory->set_is_growable(false);
     size_t size = NumberToSize(memory->byte_length());
-    // Check the asm.js heap size against the valid limits.
-    if (!IsValidAsmjsMemorySize(size)) {
-      ReportInstantiationFailure(script, position, "Invalid heap size");
+    // TODO(mstarzinger): We currently only limit byte length of the buffer to
+    // be a multiple of 8, we should enforce the stricter spec limits here.
+    if (size % FixedTypedArrayBase::kMaxElementSize != 0) {
+      ReportInstantiationFailure(script, position, "Unexpected heap size");
+      return MaybeHandle<Object>();
+    }
+    // Currently WebAssembly only supports heap sizes within the uint32_t range.
+    if (size > std::numeric_limits<uint32_t>::max()) {
+      ReportInstantiationFailure(script, position, "Unexpected heap size");
       return MaybeHandle<Object>();
     }
   } else {

test/cctest/test-api.cc

@@ -26423,7 +26423,7 @@ TEST(TurboAsmDisablesNeuter) {
       "  function load() { return MEM32[0] | 0; }"
       "  return { load: load };"
       "}"
-      "var buffer = new ArrayBuffer(4096);"
+      "var buffer = new ArrayBuffer(1024);"
       "var module = Module(this, {}, buffer);"
       "%OptimizeFunctionOnNextCall(module.load);"
       "module.load();"
@@ -26439,7 +26439,7 @@ TEST(TurboAsmDisablesNeuter) {
       "  function store() { MEM32[0] = 0; }"
       "  return { store: store };"
       "}"
-      "var buffer = new ArrayBuffer(4096);"
+      "var buffer = new ArrayBuffer(1024);"
       "var module = Module(this, {}, buffer);"
       "%OptimizeFunctionOnNextCall(module.store);"
       "module.store();"

test/message/asm-linking-bogus-heap.out

@@ -2,4 +2,4 @@
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
-*%(basename)s:7: Linking failure in asm.js: Invalid heap size
+*%(basename)s:7: Linking failure in asm.js: Unexpected heap size

test/mjsunit/asm/asm-heap.js

-// Copyright 2018 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Flags: --validate-asm --allow-natives-syntax --expose-gc
-
-let gCounter = 1000;
-let gMinHeap = new ArrayBuffer(1 << 12);
-let gStdlib = {Uint8Array: Uint8Array};
-
-// The template of asm.js modules used in this test.
-function Template(stdlib, ffi, heap) {
-  "use asm";
-  var MEM8 = new stdlib.Uint8Array(heap);
-  function foo() { return VAL; }
-  return { foo: foo };
-}
-
-// Create a fresh module each time.
-function NewModule() {
-  // Use eval() to get a unique module each time.
-  let val = gCounter++;
-  let string = (Template + "; Template").replace("VAL", "" + val);
-//  print(string);
-  let module = eval(string);
-//  print(module);
-  module(gStdlib, {}, gMinHeap);
-  assertTrue(%IsAsmWasmCode(module));
-  return {module: module, val: val};
-}
-
-(function TestValid_PowerOfTwo() {
-  print("TestValid_PowerOfTwo...");
-  let r = NewModule();
-  for (let i = 12; i <= 24; i++) {
-    gc();  // Likely OOM otherwise.
-    let size = 1 << i;
-    print("  size=" + size);
-    let heap = new ArrayBuffer(size);
-    var instance = r.module(gStdlib, {}, heap);
-    assertTrue(%IsAsmWasmCode(r.module));
-    assertEquals(r.val, instance.foo());
-  }
-})();
-
-(function TestValid_Multiple() {
-  print("TestValid_Multiple...");
-  let r = NewModule();
-  for (let i = 1; i < 47; i += 7) {
-    gc();  // Likely OOM otherwise.
-    let size = i * (1 << 24);
-    print("  size=" + size);
-    let heap = new ArrayBuffer(size);
-    var instance = r.module(gStdlib, {}, heap);
-    assertTrue(%IsAsmWasmCode(r.module));
-    assertEquals(r.val, instance.foo());
-  }
-})();
-
-(function TestInvalid_TooSmall() {
-  print("TestInvalid_TooSmall...");
-  for (let i = 1; i < 12; i++) {
-    let size = 1 << i;
-    print("  size=" + size);
-    let r = NewModule();
-    let heap = new ArrayBuffer(size);
-    var instance = r.module(gStdlib, {}, heap);
-    assertFalse(%IsAsmWasmCode(r.module));
-    assertEquals(r.val, instance.foo());
-  }
-})();
-
-(function TestInValid_NonPowerOfTwo() {
-  print("TestInvalid_NonPowerOfTwo...");
-  for (let i = 12; i <= 24; i++) {
-    gc();  // Likely OOM otherwise.
-    let size = 1 + (1 << i);
-    print("  size=" + size);
-    let r = NewModule();
-    let heap = new ArrayBuffer(size);
-    var instance = r.module(gStdlib, {}, heap);
-    assertFalse(%IsAsmWasmCode(r.module));
-    assertEquals(r.val, instance.foo());
-  }
-})();
-
-(function TestInValid_NonMultiple() {
-  print("TestInvalid_NonMultiple...");
-  for (let i = (1 << 24); i < (1 << 25); i += (1 << 22)) {
-    gc();  // Likely OOM otherwise.
-    let size = i + (1 << 20);
-    print("  size=" + size);
-    let r = NewModule();
-    let heap = new ArrayBuffer(size);
-    var instance = r.module(gStdlib, {}, heap);
-    assertFalse(%IsAsmWasmCode(r.module));
-    assertEquals(r.val, instance.foo());
-  }
-})();

test/mjsunit/mjsunit.status

@@ -154,9 +154,6 @@
   'asm/poppler/*': [PASS, SLOW, NO_VARIANTS],
   'asm/sqlite3/*': [PASS, SLOW, NO_VARIANTS],
 
-  # OOM flakes in isolates tests because too many largish heaps are created.
-  'asm/asm-heap': [PASS, NO_VARIANTS, ['isolates', SKIP]],
-
   # Slow tests.
   'copy-on-write-assert': [PASS, SLOW],
   'es6/typedarray-construct-offset-not-smi': [PASS, SLOW],

test/mjsunit/regress/regress-6700.js

@@ -4,8 +4,6 @@
 
 // Flags: --allow-natives-syntax
 
-let kMinHeapSize = 4096;
-
 (function TestLeftRight() {
   function Module(stdlib, foreign, heap) {
     "use asm";
@@ -16,7 +14,7 @@ let kMinHeapSize = 4096;
     }
     return { f:f }
   }
-  var buffer = new ArrayBuffer(kMinHeapSize);
+  var buffer = new ArrayBuffer(1024);
   var module = new Module(this, {}, buffer);
   assertTrue(%IsAsmWasmCode(Module));
   new Int32Array(buffer)[42] = 23;
@@ -33,7 +31,7 @@ let kMinHeapSize = 4096;
     }
     return { f:f }
   }
-  var buffer = new ArrayBuffer(kMinHeapSize);
+  var buffer = new ArrayBuffer(1024);
   var module = new Module(this, {}, buffer)
   assertTrue(%IsAsmWasmCode(Module));
   new Int32Array(buffer)[42 >> 4] = 23;
@@ -50,7 +48,7 @@ let kMinHeapSize = 4096;
     }
     return { f:f }
   }
-  var buffer = new ArrayBuffer(kMinHeapSize);
+  var buffer = new ArrayBuffer(1024);
   var module = new Module(this, {}, buffer)
   assertFalse(%IsAsmWasmCode(Module));
   new Int32Array(buffer)[42 & 0xfc] = 23;
@@ -67,7 +65,7 @@ let kMinHeapSize = 4096;
     }
     return { f:f }
   }
-  var buffer = new ArrayBuffer(kMinHeapSize);
+  var buffer = new ArrayBuffer(1024);
   var module = new Module(this, {}, buffer)
   assertFalse(%IsAsmWasmCode(Module));
   new Int32Array(buffer)[42 >> 3] = 23;
@@ -84,7 +82,7 @@ let kMinHeapSize = 4096;
     }
     return { f:f }
   }
-  var buffer = new ArrayBuffer(kMinHeapSize);
+  var buffer = new ArrayBuffer(1024);
   var module = new Module(this, {}, buffer)
   assertFalse(%IsAsmWasmCode(Module));
   new Int32Array(buffer)[42 << 2] = 23;

test/mjsunit/regress/regress-crbug-759327.js

@@ -13,7 +13,7 @@ function Module(stdlib, env, heap) {
   return { f: f };
 }
 function instantiate() {
-  var buffer = new ArrayBuffer(4096);
+  var buffer = new ArrayBuffer(0);
   Module(this, {}, buffer).f();
   try {} finally {}
   gc();

test/mjsunit/regress/wasm/regress-776677.js

@@ -16,7 +16,7 @@ function module(stdlib,foreign,buffer) {
 
 var global = {Uint32Array:Uint32Array};
 var env = {};
-memory = new WebAssembly.Memory({initial:128});
+memory = new WebAssembly.Memory({initial:200});
 var buffer = memory.buffer;
 evil_f = module(global,env,buffer);
 

test/mjsunit/regress/wasm/regress-873600.js

-// Copyright 2018 the V8 project authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-(function DoTest() {
-
-  var stdlib = this;
-  try {
-    var buffer = new ArrayBuffer((2097120) * 1024);
-  } catch (e) {
-    // Out of memory: soft pass because 2GiB is actually a lot!
-    print("OOM: soft pass");
-    return;
-  }
-  var foreign = {}
-
-  var m = (function Module(stdlib, foreign, heap) {
-    "use asm";
-    var MEM16 = new stdlib.Int16Array(heap);
-    function load(i) {
-      i = i|0;
-      i = MEM16[i >> 1]|0;
-      return i | 0;
-    }
-    function store(i, v) {
-      i = i|0;
-      v = v|0;
-      MEM16[i >> 1] = v;
-    }
-    function load8(i) {
-      i = i|0;
-      i = MEM16[i + 8 >> 1]|0;
-      return i | 0;
-    }
-    function store8(i, v) {
-      i = i|0;
-      v = v|0;
-      MEM16[i + 8 >> 1] = v;
-    }
-    return { load: load, store: store, load8: load8, store8: store8 };
-  })(stdlib, foreign, buffer);
-
-  assertEquals(0, m.load(-8));
-  assertEquals(0, m.load8(-16));
-  m.store(2014, 2, 30, 1, 0);
-  assertEquals(0, m.load8(-8));
-  m.store8(-8, 99);
-  assertEquals(99, m.load(0));
-  assertEquals(99, m.load8(-8));
-})();

test/mjsunit/wasm/asm-wasm-memory.js

@@ -5,7 +5,6 @@
 // Flags: --validate-asm --allow-natives-syntax
 
 var stdlib = this;
-let kMinHeapSize = 4096;
 
 function assertValidAsm(func) {
   assertTrue(%IsAsmWasmCode(func), "must be valid asm code");
@@ -14,7 +13,7 @@ function assertValidAsm(func) {
 function assertWasm(expected, func, ffi) {
   print("Testing " + func.name + "...");
   assertEquals(
-      expected, func(stdlib, ffi, new ArrayBuffer(kMinHeapSize)).caller());
+      expected, func(stdlib, ffi, new ArrayBuffer(1024)).caller());
   assertValidAsm(func);
 }
 
@@ -39,7 +38,7 @@ assertWasm(7, TestInt32HeapAccess);
 
 
 function TestInt32HeapAccessExternal() {
-  var memory = new ArrayBuffer(kMinHeapSize);
+  var memory = new ArrayBuffer(1024);
   var memory_int32 = new Int32Array(memory);
   var module_decl = eval('(' + TestInt32HeapAccess.toString() + ')');
   var module = module_decl(stdlib, null, memory);
@@ -64,7 +63,7 @@ function TestHeapAccessIntTypes() {
     var code = TestInt32HeapAccess.toString();
     code = code.replace('Int32Array', types[i][1]);
     code = code.replace(/>> 2/g, types[i][2]);
-    var memory = new ArrayBuffer(kMinHeapSize);
+    var memory = new ArrayBuffer(1024);
     var memory_view = new types[i][0](memory);
     var module_decl = eval('(' + code + ')');
     var module = module_decl(stdlib, null, memory);
@@ -103,7 +102,7 @@ assertWasm(1, TestFloatHeapAccess);
 
 
 function TestFloatHeapAccessExternal() {
-  var memory = new ArrayBuffer(kMinHeapSize);
+  var memory = new ArrayBuffer(1024);
   var memory_float64 = new Float64Array(memory);
   var module_decl = eval('(' + TestFloatHeapAccess.toString() + ')');
   var module = module_decl(stdlib, null, memory);
@@ -147,7 +146,7 @@ TestFloatHeapAccessExternal();
     return {load: load, iload: iload, store: store, storeb: storeb};
   }
 
-  var memory = new ArrayBuffer(kMinHeapSize);
+  var memory = new ArrayBuffer(1024);
   var module_decl = eval('(' + TestByteHeapAccessCompat.toString() + ')');
   var m = module_decl(stdlib, null, memory);
   assertValidAsm(module_decl);

test/mjsunit/wasm/asm-wasm.js

@@ -5,7 +5,6 @@
 // Flags: --validate-asm --allow-natives-syntax
 
 var stdlib = this;
-let kMinHeapSize = 4096;
 
 function assertValidAsm(func) {
   assertTrue(%IsAsmWasmCode(func), "must be valid asm code");
@@ -14,7 +13,7 @@ function assertValidAsm(func) {
 function assertWasm(expected, func, ffi) {
   print("Testing " + func.name + "...");
   assertEquals(
-      expected, func(stdlib, ffi, new ArrayBuffer(kMinHeapSize)).caller());
+      expected, func(stdlib, ffi, new ArrayBuffer(1024)).caller());
   assertValidAsm(func);
 }