[wasm] do not reuse externalized backing stores when growing

Bug: chromium:813876 Change-Id: Ib85d4759c4e1d1c6771edb26e56202dc559854ce Reviewed-on: https://chromium-review.googlesource.com/974706 Commit-Queue: Eric Holk <eholk@chromium.org> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/master@{#52194}

[wasm] do not reuse externalized backing stores when growing
Bug: chromium:813876 Change-Id: Ib85d4759c4e1d1c6771edb26e56202dc559854ce Reviewed-on: https://chromium-review.googlesource.com/974706 Commit-Queue: Eric Holk <eholk@chromium.org> Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Cr-Commit-Position: refs/heads/master@{#52194}
c6607911 · Eric Holk · Commit Bot · d1e02979 · c6607911 · c6607911
Commit c6607911 authored Mar 23, 2018 by Eric Holk Committed by Commit Bot Mar 23, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 5 deletions

wasm-objects.cc src/wasm/wasm-objects.cc +6 -5

test-run-wasm-module.cc test/cctest/wasm/test-run-wasm-module.cc +25 -0

No files found.
--- a/src/wasm/wasm-objects.cc
+++ b/src/wasm/wasm-objects.cc
@@ -371,11 +371,12 @@ Handle<JSArrayBuffer> GrowMemoryBuffer(Isolate* isolate,
      new_size > kMaxInt) {
    return Handle<JSArrayBuffer>::null();
  }
-  // Try to adjust the permissions and reuse the old backing store
-  if (((use_trap_handler && !old_buffer->is_external() &&
-        new_size < old_buffer->allocation_length()) ||
-       old_size == new_size) &&
-      old_size != 0) {
+  // Reusing the backing store from externalized buffers causes problems with
+  // Blink's array buffers. The connection between the two is lost, which can
+  // lead to Blink not knowing about the other reference to the buffer and
+  // freeing it too early.
+  if (!old_buffer->is_external() && old_size != 0 &&
+      ((new_size < old_buffer->allocation_length()) || old_size == new_size)) {
    DCHECK_NOT_NULL(old_buffer->backing_store());
    if (old_size != new_size) {
      // If adjusting permissions fails, propagate error back to return

--- a/test/cctest/wasm/test-run-wasm-module.cc
+++ b/test/cctest/wasm/test-run-wasm-module.cc
@@ -1124,6 +1124,31 @@ TEST(Run_WasmModule_Buffer_Externalized_Detach) {
  Cleanup();
 }

+TEST(Run_WasmModule_Buffer_Externalized_Regression_UseAfterFree) {
+  // Regresion test for https://crbug.com/813876
+  Isolate* isolate = CcTest::InitIsolateOnce();
+  HandleScope scope(isolate);
+#if V8_TARGET_ARCH_64_BIT
+  const bool require_guard_regions = trap_handler::IsTrapHandlerEnabled();
+#else
+  constexpr bool require_guard_regions = false;
+#endif
+  Handle<JSArrayBuffer> buffer =
+      wasm::NewArrayBuffer(isolate, 16 * kWasmPageSize, require_guard_regions);
+  Handle<WasmMemoryObject> mem = WasmMemoryObject::New(isolate, buffer, 128);
+  auto contents = v8::Utils::ToLocal(buffer)->Externalize();
+  WasmMemoryObject::Grow(isolate, mem, 0);
+  constexpr bool is_wasm_memory = true;
+  JSArrayBuffer::FreeBackingStore(
+      isolate, JSArrayBuffer::Allocation(
+                   contents.AllocationBase(), contents.AllocationLength(),
+                   contents.Data(), contents.AllocationMode(), is_wasm_memory));
+  // Make sure we can write to the buffer without crashing
+  uint32_t* int_buffer =
+      reinterpret_cast<uint32_t*>(mem->array_buffer()->backing_store());
+  int_buffer[0] = 0;
+}
+
 TEST(AtomicOpDisassembly) {
  {
    EXPERIMENTAL_FLAG_SCOPE(threads);