[csa] runtime bounds-checks on FixedArray indexed access

Bug: v8:8029 Change-Id: I5d5575a74af49236ff55a39c6a6805472bd63609 Reviewed-on: https://chromium-review.googlesource.com/1166910 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#55014}

[csa] runtime bounds-checks on FixedArray indexed access
Bug: v8:8029 Change-Id: I5d5575a74af49236ff55a39c6a6805472bd63609 Reviewed-on: https://chromium-review.googlesource.com/1166910 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#55014}
eb5cfbe0 · Tobias Tebbi · Commit Bot · e06ef53f · eb5cfbe0 · eb5cfbe0
Commit eb5cfbe0 authored Aug 09, 2018 by Tobias Tebbi Committed by Commit Bot Aug 09, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 75 additions and 27 deletions

code-stub-assembler.cc src/code-stub-assembler.cc +38 -0

code-stub-assembler.h src/code-stub-assembler.h +10 -0

v8heapconst.py tools/v8heapconst.py +27 -27

No files found.
--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -160,6 +160,14 @@ void CodeStubAssembler::Check(const NodeGenerator& condition_body,
        extra_node4_name, extra_node5, extra_node5_name);
 }

+void CodeStubAssembler::FastCheck(TNode<BoolT> condition) {
+  Label ok(this);
+  GotoIf(condition, &ok);
+  DebugBreak();
+  Goto(&ok);
+  BIND(&ok);
+}
+
 Node* CodeStubAssembler::SelectImpl(TNode<BoolT> condition,
                                    const NodeGenerator& true_body,
                                    const NodeGenerator& false_body,
@@ -1946,11 +1954,41 @@ TNode<MaybeObject> CodeStubAssembler::LoadArrayElement(
      Load(MachineType::AnyTagged(), array, offset, needs_poisoning));
 }

+void CodeStubAssembler::FixedArrayBoundsCheck(TNode<FixedArray> array,
+                                              Node* index,
+                                              int additional_offset,
+                                              ParameterMode parameter_mode) {
+  DCHECK_EQ(0, additional_offset % kPointerSize);
+  if (parameter_mode == ParameterMode::SMI_PARAMETERS) {
+    TNode<Smi> effective_index;
+    Smi* constant_index;
+    bool index_is_constant = ToSmiConstant(index, constant_index);
+    if (index_is_constant) {
+      effective_index = SmiConstant(Smi::ToInt(constant_index) +
+                                    additional_offset / kPointerSize);
+    } else if (additional_offset != 0) {
+      effective_index =
+          SmiAdd(CAST(index), SmiConstant(additional_offset / kPointerSize));
+    } else {
+      effective_index = CAST(index);
+    }
+    CSA_CHECK(this, SmiBelow(effective_index, LoadFixedArrayBaseLength(array)));
+  } else {
+    // IntPtrAdd does constant-folding automatically.
+    TNode<IntPtrT> effective_index =
+        IntPtrAdd(UncheckedCast<IntPtrT>(index),
+                  IntPtrConstant(additional_offset / kPointerSize));
+    CSA_CHECK(this, UintPtrLessThan(effective_index,
+                                    LoadAndUntagFixedArrayBaseLength(array)));
+  }
+}
+
 TNode<Object> CodeStubAssembler::LoadFixedArrayElement(
    TNode<FixedArray> object, Node* index_node, int additional_offset,
    ParameterMode parameter_mode, LoadSensitivity needs_poisoning) {
  CSA_ASSERT(this, IsFixedArraySubclass(object));
  CSA_ASSERT(this, IsNotWeakFixedArraySubclass(object));
+  FixedArrayBoundsCheck(object, index_node, additional_offset, parameter_mode);
  TNode<MaybeObject> element =
      LoadArrayElement(object, FixedArray::kHeaderSize, index_node,
                       additional_offset, parameter_mode, needs_poisoning);

--- a/src/code-stub-assembler.h
+++ b/src/code-stub-assembler.h
@@ -104,12 +104,16 @@ struct IteratorRecord {
  compiler::TNode<Object> next;
 };

+#ifdef DEBUG
 #define CSA_CHECK(csa, x)                                        \
  (csa)->Check(                                                  \
      [&]() -> compiler::Node* {                                 \
        return implicit_cast<compiler::SloppyTNode<Word32T>>(x); \
      },                                                         \
      #x, __FILE__, __LINE__)
+#else
+#define CSA_CHECK(csa, x) (csa)->FastCheck(x)
+#endif

 #ifdef DEBUG
 // Add stringified versions to the given values, except the first. That is,
@@ -645,6 +649,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
             Node* extra_node3 = nullptr, const char* extra_node3_name = "",
             Node* extra_node4 = nullptr, const char* extra_node4_name = "",
             Node* extra_node5 = nullptr, const char* extra_node5_name = "");
+  void FastCheck(TNode<BoolT> condition);

  // The following Call wrappers call an object according to the semantics that
  // one finds in the EcmaScript spec, operating on an Callable (e.g. a
@@ -960,6 +965,10 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {

  TNode<MaybeObject> MakeWeak(TNode<HeapObject> value);

+  void FixedArrayBoundsCheck(TNode<FixedArray> array, Node* index,
+                             int additional_offset = 0,
+                             ParameterMode parameter_mode = INTPTR_PARAMETERS);
+
  // Load an array element from a FixedArray / WeakFixedArray / PropertyArray.
  TNode<MaybeObject> LoadArrayElement(
      SloppyTNode<HeapObject> object, int array_header_size, Node* index,
@@ -1161,6 +1170,7 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
      WriteBarrierMode barrier_mode = UPDATE_WRITE_BARRIER,
      int additional_offset = 0,
      ParameterMode parameter_mode = INTPTR_PARAMETERS) {
+    FixedArrayBoundsCheck(array, index, additional_offset, parameter_mode);
    StoreFixedArrayOrPropertyArrayElement(array, index, value, barrier_mode,
                                          additional_offset, parameter_mode);
  }

--- a/tools/v8heapconst.py
+++ b/tools/v8heapconst.py
@@ -285,33 +285,33 @@ KNOWN_MAPS = {
  ("RO_SPACE", 0x047c1): (171, "Tuple2Map"),
  ("RO_SPACE", 0x04af9): (161, "InterceptorInfoMap"),
  ("RO_SPACE", 0x04bf1): (169, "ScriptMap"),
-  ("RO_SPACE", 0x09b79): (154, "AccessorInfoMap"),
-  ("RO_SPACE", 0x09bc9): (153, "AccessCheckInfoMap"),
-  ("RO_SPACE", 0x09c19): (155, "AccessorPairMap"),
-  ("RO_SPACE", 0x09c69): (156, "AliasedArgumentsEntryMap"),
-  ("RO_SPACE", 0x09cb9): (157, "AllocationMementoMap"),
-  ("RO_SPACE", 0x09d09): (158, "AsyncGeneratorRequestMap"),
-  ("RO_SPACE", 0x09d59): (159, "DebugInfoMap"),
-  ("RO_SPACE", 0x09da9): (160, "FunctionTemplateInfoMap"),
-  ("RO_SPACE", 0x09df9): (162, "InterpreterDataMap"),
-  ("RO_SPACE", 0x09e49): (163, "ModuleInfoEntryMap"),
-  ("RO_SPACE", 0x09e99): (164, "ModuleMap"),
-  ("RO_SPACE", 0x09ee9): (165, "ObjectTemplateInfoMap"),
-  ("RO_SPACE", 0x09f39): (166, "PromiseCapabilityMap"),
-  ("RO_SPACE", 0x09f89): (167, "PromiseReactionMap"),
-  ("RO_SPACE", 0x09fd9): (168, "PrototypeInfoMap"),
-  ("RO_SPACE", 0x0a029): (170, "StackFrameInfoMap"),
-  ("RO_SPACE", 0x0a079): (172, "Tuple3Map"),
-  ("RO_SPACE", 0x0a0c9): (173, "ArrayBoilerplateDescriptionMap"),
-  ("RO_SPACE", 0x0a119): (174, "WasmDebugInfoMap"),
-  ("RO_SPACE", 0x0a169): (175, "WasmExportedFunctionDataMap"),
-  ("RO_SPACE", 0x0a1b9): (176, "CallableTaskMap"),
-  ("RO_SPACE", 0x0a209): (177, "CallbackTaskMap"),
-  ("RO_SPACE", 0x0a259): (178, "PromiseFulfillReactionJobTaskMap"),
-  ("RO_SPACE", 0x0a2a9): (179, "PromiseRejectReactionJobTaskMap"),
-  ("RO_SPACE", 0x0a2f9): (180, "PromiseResolveThenableJobTaskMap"),
-  ("RO_SPACE", 0x0a349): (181, "AllocationSiteMap"),
-  ("RO_SPACE", 0x0a399): (181, "AllocationSiteMap"),
+  ("RO_SPACE", 0x09a71): (154, "AccessorInfoMap"),
+  ("RO_SPACE", 0x09ac1): (153, "AccessCheckInfoMap"),
+  ("RO_SPACE", 0x09b11): (155, "AccessorPairMap"),
+  ("RO_SPACE", 0x09b61): (156, "AliasedArgumentsEntryMap"),
+  ("RO_SPACE", 0x09bb1): (157, "AllocationMementoMap"),
+  ("RO_SPACE", 0x09c01): (158, "AsyncGeneratorRequestMap"),
+  ("RO_SPACE", 0x09c51): (159, "DebugInfoMap"),
+  ("RO_SPACE", 0x09ca1): (160, "FunctionTemplateInfoMap"),
+  ("RO_SPACE", 0x09cf1): (162, "InterpreterDataMap"),
+  ("RO_SPACE", 0x09d41): (163, "ModuleInfoEntryMap"),
+  ("RO_SPACE", 0x09d91): (164, "ModuleMap"),
+  ("RO_SPACE", 0x09de1): (165, "ObjectTemplateInfoMap"),
+  ("RO_SPACE", 0x09e31): (166, "PromiseCapabilityMap"),
+  ("RO_SPACE", 0x09e81): (167, "PromiseReactionMap"),
+  ("RO_SPACE", 0x09ed1): (168, "PrototypeInfoMap"),
+  ("RO_SPACE", 0x09f21): (170, "StackFrameInfoMap"),
+  ("RO_SPACE", 0x09f71): (172, "Tuple3Map"),
+  ("RO_SPACE", 0x09fc1): (173, "ArrayBoilerplateDescriptionMap"),
+  ("RO_SPACE", 0x0a011): (174, "WasmDebugInfoMap"),
+  ("RO_SPACE", 0x0a061): (175, "WasmExportedFunctionDataMap"),
+  ("RO_SPACE", 0x0a0b1): (176, "CallableTaskMap"),
+  ("RO_SPACE", 0x0a101): (177, "CallbackTaskMap"),
+  ("RO_SPACE", 0x0a151): (178, "PromiseFulfillReactionJobTaskMap"),
+  ("RO_SPACE", 0x0a1a1): (179, "PromiseRejectReactionJobTaskMap"),
+  ("RO_SPACE", 0x0a1f1): (180, "PromiseResolveThenableJobTaskMap"),
+  ("RO_SPACE", 0x0a241): (181, "AllocationSiteMap"),
+  ("RO_SPACE", 0x0a291): (181, "AllocationSiteMap"),
  ("MAP_SPACE", 0x02201): (1057, "ExternalMap"),
  ("MAP_SPACE", 0x02251): (1072, "JSMessageObjectMap"),
 }