[wasm] Remove improper assembler check for grow memory.

Note that the offset can still be out of bounds, even after grow memory. The calculation of the remaining size can overflow. R=gdeepti@chromium.org BUG=chromium:644670 Review-Url: https://codereview.chromium.org/2376153003 Cr-Commit-Position: refs/heads/master@{#39886}

[wasm] Remove improper assembler check for grow memory.
Note that the offset can still be out of bounds, even after grow memory. The calculation of the remaining size can overflow. R=gdeepti@chromium.org BUG=chromium:644670 Review-Url: https://codereview.chromium.org/2376153003 Cr-Commit-Position: refs/heads/master@{#39886}
e6071a9c · titzer · Commit bot · 424cd4cf · e6071a9c · e6071a9c
Commit e6071a9c authored Sep 29, 2016 by titzer Committed by Commit bot Sep 29, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 3 deletions

assembler.cc src/assembler.cc +0 -2

grow-memory.js test/mjsunit/wasm/grow-memory.js +25 -1

No files found.
--- a/src/assembler.cc
+++ b/src/assembler.cc
@@ -351,9 +351,7 @@ void RelocInfo::update_wasm_memory_reference(
                                           icache_flush_mode);
  } else if (IsWasmMemorySizeReference(rmode_)) {
    uint32_t current_size_reference = wasm_memory_size_reference();
-    DCHECK(old_size == 0 || current_size_reference <= old_size);
    uint32_t offset = old_size - current_size_reference;
-    DCHECK_GE(new_size, offset);
    uint32_t updated_size_reference = new_size - offset;
    unchecked_update_wasm_memory_size(updated_size_reference,
                                      icache_flush_mode);

--- a/test/mjsunit/wasm/grow-memory.js
+++ b/test/mjsunit/wasm/grow-memory.js
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-// Flags: --expose-wasm --expose-gc --stress-compaction
+// Flags: --expose-wasm --stress-compaction

 load("test/mjsunit/wasm/wasm-constants.js");
 load("test/mjsunit/wasm/wasm-module-builder.js");
@@ -358,3 +358,27 @@ function testGrowMemoryOutOfBoundsOffset() {
 }

 testGrowMemoryOutOfBoundsOffset();
+
+
+function testGrowMemoryOutOfBoundsOffset2() {
+  var builder = new WasmModuleBuilder();
+  builder.addMemory(16, 128, false);
+  builder.addFunction("main", kSig_v_v)
+    .addBody([
+      kExprI32Const, 20,
+      kExprI32Const, 29,
+      kExprGrowMemory,
+      kExprI32StoreMem, 0, 0xFF, 0xFF, 0xFF, 0x3a
+    ])
+    .exportAs("main");
+
+  var module = builder.instantiate();
+  try {
+    module.exports.main();
+    assertFalse(true);
+  } catch (e) {
+    // should throw OOB
+  }
+}
+
+testGrowMemoryOutOfBoundsOffset2();