201006 – Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.

Bug 201006 - Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unnecessary overflow checks.

Summary: Wasm's AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are doing unn...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Depends on:	201016
Blocks:
	Show dependency tree / graph

Reported:	2019-08-21 16:12 PDT by Mark Lam
Modified:	2019-08-28 14:25 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
proposed patch. (1.68 KB, patch) 2019-08-21 16:18 PDT, Mark Lam	mark.lam: review-	Details \| Formatted Diff \| Diff
proposed patch. (4.33 KB, patch) 2019-08-28 14:13 PDT, Mark Lam	ysuzuki: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2019-08-21 16:12:59 PDT

<rdar://problem/52053991>

Comment 1 Mark Lam 2019-08-21 16:18:13 PDT

Created attachment 376946 [details]
proposed patch.

Comment 2 Keith Miller 2019-08-21 16:21:02 PDT

Comment on attachment 376946 [details]
proposed patch.

r=me.

Comment 3 Mark Lam 2019-08-21 17:23:30 PDT

Comment on attachment 376946 [details]
proposed patch.

Actually, this change is not needed.  Details to follow.

Comment 4 Mark Lam 2019-08-21 17:30:30 PDT

Validate::addLocal() can never overflow because:

1. It is only called from m_context.addArguments() and FunctionParser<Context>::parse().

2. m_context.addArguments() will add the number of arguments in the signature passed to it.
   In SectionParser::parseType(), we already ensure that the number of arguments do not exceed maxFunctionParams, which is 1000 (see WasmLimits.h).

3. FunctionParser<Context>::parse() will also call addLocal() to add numberOfLocals for each local group.  numberOfLocals is capped to maxFunctionLocals, and the number of local groups is currently capped to maxFunctionLocals also.  maxFunctionLocals is 50000 (see WasmLimits.h).

As a result, the max possible number of locals added = 1000 + (50000 * 50000) = 2500001000 = 0x9502FCE8, which is less that UINT_MAX.

There is no chance of an overflow here.

Comment 5 Mark Lam 2019-08-28 13:50:52 PDT

Actually, AirIRGenerator::addLocal() and B3IRGenerator::addLocal() are both doing unnecessary overflow checks.  We already ensured that it is not possible to overflow in Wasm::FunctionParser's parse().  It is unnecessary and misleading to do those overflow checks in AirIRGenerator and B3IRGenerator.  The only check that is necessary is that m_locals.tryReserveCapacity() is successful, otherwise, we have an out of memory situation.

I'll use this bug to change these unnecessary checks to assertions instead.

Comment 6 Mark Lam 2019-08-28 14:13:37 PDT

Created attachment 377483 [details]
proposed patch.

Comment 7 Yusuke Suzuki 2019-08-28 14:18:11 PDT

Comment on attachment 377483 [details]
proposed patch.

r=me. These checks are redundant to WasmFunctionParser and the responsibility of this check should belong to WasmFunctionParser. Not to each client.

Comment 8 Mark Lam 2019-08-28 14:25:43 PDT

Thanks for the review.  Landed in r249221: <http://trac.webkit.org/r249221>.