Commit f0962559 authored by Clemens Backes's avatar Clemens Backes Committed by V8 LUCI CQ

[wasm] Avoid accessing vector after its end

When checking whether to merge a region with its surrounding regions in
{InsertIntoWritableRegions}, we did not check first whether the
determined {insert_pos} is within the vector. We were thus accessing
(reading) after the end of the vector.

The bug only happened on MSVC builds, suggesting that clang
deterministically read a value which is never equal to the end of the
new region, whereas for MSVC it sometimes happened that we read exactly
the {region.end()} value, and we tried to merge regions.

R=jkummerow@chromium.org

Bug: v8:12643
Change-Id: If30d910ed6e996f7b0e1d8c5b439c3d842a498f6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3487988Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79283}
parent f65a2806
...@@ -893,7 +893,8 @@ void WasmCodeAllocator::InsertIntoWritableRegions(base::AddressRegion region, ...@@ -893,7 +893,8 @@ void WasmCodeAllocator::InsertIntoWritableRegions(base::AddressRegion region,
writable_memory_.erase(previous); writable_memory_.erase(previous);
} }
} }
if (region.end() == insert_pos->begin()) { if (insert_pos != writable_memory_.end() &&
region.end() == insert_pos->begin()) {
region = {region.begin(), insert_pos->size() + region.size()}; region = {region.begin(), insert_pos->size() + region.size()};
insert_pos = writable_memory_.erase(insert_pos); insert_pos = writable_memory_.erase(insert_pos);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment