Closed Bug 1598149 Opened 10 months ago Closed 10 months ago

Track bounds checking changes for bulk-memory-operations, again

Categories

(Core :: Javascript: WebAssembly, task, P3)

task

Tracking

()

RESOLVED FIXED
mozilla72
Tracking Status
firefox72 --- fixed

People

(Reporter: rhunt, Assigned: rhunt)

References

Details

Attachments

(3 files)

We may specify len=0 outside of the memory bounds to trap. See [1].

[1] https://github.com/WebAssembly/bulk-memory-operations/issues/124

Bulk memory reduces active segments to sequences of *.init that are executed
before the start function is called. This implies that an error here is to be
reported as a RuntimeError, as an error in the start function would. The latest
spec tests for bulk-memory check this, so we're required to update as well.

Spec Issue: https://github.com/WebAssembly/bulk-memory-operations/issues/124

The inline path for memory.copy/fill are updated to fallback to the OOL path
when the length is 0 to have proper bounds checking behavior.

Depends on D54598

This commit updates our in-tree version of spec-tests to a recent bulk-memory
master (1e296604ae7c2aa2ce7619929a8817c9fd95941d) with one backport for our
addition of a bottom type. All the other backports and merges have been
dropped.

[1] https://github.com/eqrion/wasm-spec/commits/spidermonkey-tree-tests

Depends on D54599

Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/autoland/rev/664f0ef11e26
Report bulk-memory failures to instantiate segments as runtime errors. r=lth
Backout by dluca@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/59161d967793
Backed out changeset 664f0ef11e26 as per dev's request
Pushed by rhunt@eqrion.net:
https://hg.mozilla.org/integration/autoland/rev/bc6abdc25bcf
Report bulk-memory failures to instantiate segments as runtime errors. r=lth
https://hg.mozilla.org/integration/autoland/rev/81832b228e16
Treat data/elem.drop as shrink-to-zero, disallow zero length past end of bounds. r=lth
https://hg.mozilla.org/integration/autoland/rev/ceedac0727f9
Import updated spec tests. r=lth
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.