[wasm] Disable asan for memory_copy_wrapper

The function {memory_copy_wrapper} is called directly from WebAssembly. Before calling {memory_copy_wrapper} we do not reset the tread-in-wasm flag. On asan builds on Windows this causes the problem observed in the crash report. My theory is the following: asan on Windows uses exceptions to allocate shadow memory lazily. When {memory_copy_wrapper} accesses memory, asan causes an exception to allocate shadow memory. This exception is first caught by the WebAssembly trap handler, which resets the thread-in-wasm flag but then does not handle the exception because it cannot find a proper landing pad. Asan then handles the exception and continues execution. However. the thread-in-wasm flag is not set anymore. A later check of the thread-in-wasm flag then fails. This CL disables asan for {memory_copy_wrapper} and thereby fixes the problem. As indicated above, another solution would be to reset and set the thread-in-wasm flag before and after the call to the C function, respectively. However, we do not do that for other uses of direct calls to C. R=binji@chromium.org Bug: chromium:952342 Change-Id: I2adb2eccf2ac25be58392d21f8f43a04414c7811 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584326Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#61040}

[wasm] Disable asan for memory_copy_wrapper
The function {memory_copy_wrapper} is called directly from WebAssembly. Before calling {memory_copy_wrapper} we do not reset the tread-in-wasm flag. On asan builds on Windows this causes the problem observed in the crash report. My theory is the following: asan on Windows uses exceptions to allocate shadow memory lazily. When {memory_copy_wrapper} accesses memory, asan causes an exception to allocate shadow memory. This exception is first caught by the WebAssembly trap handler, which resets the thread-in-wasm flag but then does not handle the exception because it cannot find a proper landing pad. Asan then handles the exception and continues execution. However. the thread-in-wasm flag is not set anymore. A later check of the thread-in-wasm flag then fails. This CL disables asan for {memory_copy_wrapper} and thereby fixes the problem. As indicated above, another solution would be to reset and set the thread-in-wasm flag before and after the call to the C function, respectively. However, we do not do that for other uses of direct calls to C. R=binji@chromium.org Bug: chromium:952342 Change-Id: I2adb2eccf2ac25be58392d21f8f43a04414c7811 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1584326Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#61040}
eb131dcc · Andreas Haas · Commit Bot · 2300b525 · eb131dcc · eb131dcc
Commit eb131dcc authored Apr 25, 2019 by Andreas Haas Committed by Commit Bot Apr 26, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 1 deletion

wasm-external-refs.cc src/wasm/wasm-external-refs.cc +9 -1

regress-952342.js test/mjsunit/regress/wasm/regress-952342.js +18 -0

No files found.
--- a/src/wasm/wasm-external-refs.cc
+++ b/src/wasm/wasm-external-refs.cc
@@ -249,7 +249,15 @@ void float64_pow_wrapper(Address data) {
  WriteUnalignedValue<double>(data, base::ieee754::pow(x, y));
 }

-void memory_copy_wrapper(Address dst, Address src, uint32_t size) {
+// Asan on Windows triggers exceptions in this function to allocate
+// shadow memory lazily. When this function is called from WebAssembly,
+// these exceptions would be handled by the trap handler before they get
+// handled by Asan, and thereby confuse the thread-in-wasm flag.
+// Therefore we disable ASAN for this function. Alternatively we could
+// reset the thread-in-wasm flag before calling this function. However,
+// as this is only a problem with Asan on Windows, we did not consider
+// it worth the overhead.
+DISABLE_ASAN void memory_copy_wrapper(Address dst, Address src, uint32_t size) {
  // Use explicit forward and backward copy to match the required semantics for
  // the memory.copy instruction. It is assumed that the caller of this
  // function has already performed bounds checks, so {src + size} and

--- a/test/mjsunit/regress/wasm/regress-952342.js
+++ b/test/mjsunit/regress/wasm/regress-952342.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const memory = new WebAssembly.Memory({initial: 1});
+
+let builder = new WasmModuleBuilder();
+builder.addImportedMemory("imports", "mem", 1);
+builder.addFunction("copy", kSig_v_iii)
+       .addBody([kExprGetLocal, 0, // dst
+                 kExprGetLocal, 1, // src
+                 kExprGetLocal, 2, // size
+                 kNumericPrefix, kExprMemoryCopy, 0, 0]).exportAs("copy");
+let instance = builder.instantiate({imports: {mem: memory}});
+memory.grow(1);
+instance.exports.copy(0, kPageSize, 11);