[webkit-changes] [217314] trunk

Tue, 23 May 2017 17:33:07 -0700

Title: [217314] trunk
Revision
217314
Author
sbar...@apple.com
Date
2017-05-23 17:32:12 -0700 (Tue, 23 May 2017)

Log Message

We should not mmap zero bytes for a memory in Wasm
https://bugs.webkit.org/show_bug.cgi?id=172528
<rdar://problem/32257076>

Reviewed by Mark Lam.

JSTests:

* wasm/js-api/dont-mmap-zero-byte-memory.js: Added.
(testMems):

Source/_javascript_Core:

This patch fixes a bug where we would call into mmap with zero bytes
when creating a slow WasmMemory with zero initial page size. This fix
is simple: if we don't have any initial bytes, we just call the constructor
in WasmMemory that's meant to handle this case.

* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::create):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (217313 => 217314)


--- trunk/JSTests/ChangeLog	2017-05-24 00:31:35 UTC (rev 217313)
+++ trunk/JSTests/ChangeLog	2017-05-24 00:32:12 UTC (rev 217314)
@@ -1,5 +1,16 @@
 2017-05-23  Saam Barati  <sbar...@apple.com>
 
+        We should not mmap zero bytes for a memory in Wasm
+        https://bugs.webkit.org/show_bug.cgi?id=172528
+        <rdar://problem/32257076>
+
+        Reviewed by Mark Lam.
+
+        * wasm/js-api/dont-mmap-zero-byte-memory.js: Added.
+        (testMems):
+
+2017-05-23  Saam Barati  <sbar...@apple.com>
+
         CFGSimplificationPhase should not merge a block with itself
         https://bugs.webkit.org/show_bug.cgi?id=172508
         <rdar://problem/28424006>

Added: trunk/JSTests/wasm/js-api/dont-mmap-zero-byte-memory.js (0 => 217314)


--- trunk/JSTests/wasm/js-api/dont-mmap-zero-byte-memory.js	                        (rev 0)
+++ trunk/JSTests/wasm/js-api/dont-mmap-zero-byte-memory.js	2017-05-24 00:32:12 UTC (rev 217314)
@@ -0,0 +1,54 @@
+import Builder from '../Builder.js';
+import * as assert from '../assert.js';
+
+let mems = [];
+function makeMem(initial) {
+    const desc = {initial};
+    mems.push([desc, new WebAssembly.Memory(desc)]);
+}
+for (let i = 0; i < 100; ++i) {
+    makeMem(1);
+}
+
+// This loop should not OOM! This tests a bug where we
+// would call mmap with zero bytes if we ran out of
+// fast memories but created a slow memory with zero
+// initial page count.
+for (let i = 0; i < 100; ++i) {
+    makeMem(0);
+}
+
+function testMems() {
+    for (const [memDesc, mem] of mems) {
+        const builder = (new Builder())
+            .Type().End()
+            .Import()
+                .Memory("imp", "memory", memDesc)
+            .End()
+            .Function().End()
+            .Export()
+                .Function("foo")
+            .End()
+            .Code()
+                .Function("foo", { params: [], ret: "i32" })
+                    .I32Const(0)
+                    .I32Load8U(2, 0)
+                    .Return()
+                .End()
+            .End();
+        const bin = builder.WebAssembly().get();
+        const module = new WebAssembly.Module(bin);
+        const instance = new WebAssembly.Instance(module, {imp: {memory: mem}});
+        if (mem.buffer.byteLength > 0)
+            assert.eq(instance.exports.foo(), 0);
+        else
+            assert.throws(() => instance.exports.foo(), WebAssembly.RuntimeError, "Out of bounds memory access");
+    }
+}
+
+testMems();
+
+for (const [_, mem] of mems)
+    mem.grow(1);
+
+testMems();

Modified: trunk/Source/_javascript_Core/ChangeLog (217313 => 217314)


--- trunk/Source/_javascript_Core/ChangeLog	2017-05-24 00:31:35 UTC (rev 217313)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-05-24 00:32:12 UTC (rev 217314)
@@ -1,3 +1,19 @@
+2017-05-23  Saam Barati  <sbar...@apple.com>
+
+        We should not mmap zero bytes for a memory in Wasm
+        https://bugs.webkit.org/show_bug.cgi?id=172528
+        <rdar://problem/32257076>
+
+        Reviewed by Mark Lam.
+
+        This patch fixes a bug where we would call into mmap with zero bytes
+        when creating a slow WasmMemory with zero initial page size. This fix
+        is simple: if we don't have any initial bytes, we just call the constructor
+        in WasmMemory that's meant to handle this case.
+
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::create):
+
 2017-05-23  Brian Burg  <bb...@apple.com>
 
         REGRESSION(r217051): Automation sessions fail to complete bootstrap

Modified: trunk/Source/_javascript_Core/wasm/WasmMemory.cpp (217313 => 217314)


--- trunk/Source/_javascript_Core/wasm/WasmMemory.cpp	2017-05-24 00:31:35 UTC (rev 217313)
+++ trunk/Source/_javascript_Core/wasm/WasmMemory.cpp	2017-05-24 00:32:12 UTC (rev 217314)
@@ -413,6 +413,8 @@
 
     // We're stuck with a slow memory which may be slower or impossible to grow.
     if (!memory) {
+        if (!initialBytes)
+            return adoptRef(new Memory(initial, maximum));
         memory = tryGetSlowMemory(initialBytes);
         if (memory) {
             mappedCapacityBytes = initialBytes;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to