[wasm][memory64][turbofan] Fix bounds checks on 32-bit systems

In memory64, the index is a 64-bit value even on 32 bit. Thus the bounds check needs to check explicitly that the high word is zero. The (pointer sized) low word is then checked against the actual memory size. R=manoskouk@chromium.org Bug: v8:10949 Change-Id: I311664ccadaec44a6c88777a60b1a3b45b6c0642 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2617088 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#72016}

[wasm][memory64][turbofan] Fix bounds checks on 32-bit systems
In memory64, the index is a 64-bit value even on 32 bit. Thus the bounds check needs to check explicitly that the high word is zero. The (pointer sized) low word is then checked against the actual memory size. R=manoskouk@chromium.org Bug: v8:10949 Change-Id: I311664ccadaec44a6c88777a60b1a3b45b6c0642 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2617088 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#72016}
e8d8956b · Clemens Backes · Commit Bot · 9cc240fe · e8d8956b · e8d8956b
Commit e8d8956b authored Jan 08, 2021 by Clemens Backes Committed by Commit Bot Jan 11, 2021
Showing with 11 additions and 6 deletions

graph-assembler.h src/compiler/graph-assembler.h +1 -0

wasm-compiler.cc src/compiler/wasm-compiler.cc +10 -0

test-run-wasm-memory64.cc test/cctest/wasm/test-run-wasm-memory64.cc +0 -6

No files found.
--- a/src/compiler/graph-assembler.h
+++ b/src/compiler/graph-assembler.h
@@ -89,6 +89,7 @@ class BasicBlock;
  V(Word64And)                            \
  V(Word64Equal)                          \
  V(Word64Or)                             \
+  V(Word64Shr)                            \
  V(WordAnd)                              \
  V(WordEqual)                            \
  V(WordOr)                               \

--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@@ -3794,6 +3794,16 @@ Node* WasmGraphBuilder::BoundsCheckMem(uint8_t access_size, Node* index,
  uintptr_t end_offset = offset + access_size - 1u;
  Node* end_offset_node = mcgraph_->UintPtrConstant(end_offset);

+  // In memory64 mode on 32-bit systems, the upper 32 bits need to be zero to
+  // succeed the bounds check.
+  if (kSystemPointerSize == kInt32Size && env_->module->is_memory64) {
+    Node* high_word = gasm_->TruncateInt64ToInt32(
+        gasm_->Word64Shr(index, gasm_->Int32Constant(32)));
+    TrapIfTrue(wasm::kTrapMemOutOfBounds, high_word, position);
+    // Only use the low word for the following bounds check.
+    index = gasm_->TruncateInt64ToInt32(index);
+  }
+
  // The accessed memory is [index + offset, index + end_offset].
  // Check that the last read byte (at {index + end_offset}) is in bounds.
  // 1) Check that {end_offset < mem_size}. This also ensures that we can safely

--- a/test/cctest/wasm/test-run-wasm-memory64.cc
+++ b/test/cctest/wasm/test-run-wasm-memory64.cc
@@ -26,12 +26,6 @@ WASM_EXEC_TEST(Load) {
  // TODO(clemensb): Implement memory64 in the interpreter.
  if (execution_tier == TestExecutionTier::kInterpreter) return;

-  // TODO(clemensb): Fix memory64 in Turbofan on 32-bit systems.
-  if (execution_tier == TestExecutionTier::kTurbofan &&
-      kSystemPointerSize == 4) {
-    return;
-  }
-
  Memory64Runner<uint32_t, uint64_t> r(execution_tier);
  uint32_t* memory =
      r.builder().AddMemoryElems<uint32_t>(kWasmPageSize / sizeof(int32_t));