Merged: "[wasm] 32-bit platforms: lower kV8MaxWasmMemoryPages by 1"

To make sure that Wasm memories don't exceed JSArrayBuffer size. This change shouldn't affect real-world modules, because finding enough contiguous address space to allocate that much memory is virtually impossible anyway. [email protected] (cherry picked from commit 6d7ed2e8707cb865408da6a04d645c65553cd0b1) Fixed: chromium:1242339 No-Try: true No-Presubmit: true No-Tree-Checks: true Change-Id: Ie6bf129c5b3501b7e256e4358a257d9c202fa78c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3338663 Reviewed-by: Jakob Kummerow <[email protected]> Reviewed-by: Thibaud Michaud <[email protected]> Commit-Queue: Thibaud Michaud <[email protected]> Cr-Commit-Position: refs/branch-heads/9.7@{#36} Cr-Branched-From: 49162da-refs/heads/9.7.106@{#1} Cr-Branched-From: a7e9b8f-refs/heads/main@{#77674}
ncsoft · Dec 14, 2021 · fd38e83 · fd38e83
1 parent 1d9e6de
commit fd38e83
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 2 deletions.
diff --git a/src/builtins/typed-array-createtypedarray.tq b/src/builtins/typed-array-createtypedarray.tq
@@ -292,7 +292,7 @@ transitioning macro ConstructByArrayBuffer(implicit context: Context)(
       // in the step 12 branch.
       newByteLength = bufferByteLength - offset;
       newLength = elementsInfo.CalculateLength(newByteLength)
-          otherwise IfInvalidOffset;
+          otherwise IfInvalidLength;
 
       // 12. Else,
     } else {

diff --git a/src/objects/js-array-buffer.cc b/src/objects/js-array-buffer.cc
@@ -82,6 +82,7 @@ void JSArrayBuffer::Attach(std::shared_ptr<BackingStore> backing_store) {
     // invariant that their byte_length field is always 0.
     set_byte_length(0);
   } else {
+    CHECK_LE(backing_store->byte_length(), kMaxByteLength);
     set_byte_length(backing_store->byte_length());
   }
   set_max_byte_length(backing_store->max_byte_length());

diff --git a/src/wasm/wasm-engine.cc b/src/wasm/wasm-engine.cc
@@ -1645,6 +1645,9 @@ WasmCodeManager* GetWasmCodeManager() {
 
 // {max_mem_pages} is declared in wasm-limits.h.
 uint32_t max_mem_pages() {
+  static_assert(
+      kV8MaxWasmMemoryPages * kWasmPageSize <= JSArrayBuffer::kMaxByteLength,
+      "Wasm memories must not be bigger than JSArrayBuffers");
   STATIC_ASSERT(kV8MaxWasmMemoryPages <= kMaxUInt32);
   return std::min(uint32_t{kV8MaxWasmMemoryPages}, FLAG_wasm_max_mem_pages);
 }

diff --git a/src/wasm/wasm-limits.h b/src/wasm/wasm-limits.h
@@ -40,7 +40,7 @@ constexpr size_t kV8MaxWasmDataSegments = 100000;
 // Also, do not use this limit to validate declared memory, use
 // kSpecMaxMemoryPages for that.
 constexpr size_t kV8MaxWasmMemoryPages = kSystemPointerSize == 4
-                                             ? 32768   // = 2 GiB
+                                             ? 32767   // = 2 GiB
                                              : 65536;  // = 4 GiB
 constexpr size_t kV8MaxWasmStringSize = 100000;
 constexpr size_t kV8MaxWasmModuleSize = 1024 * 1024 * 1024;  // = 1 GiB