From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Jakob Kummerow Date: Thu, 6 Jun 2024 16:44:37 +0200 Subject: Merged: [wasm] Enforce maximum number of canonicalized types Storing canonical indices in ValueTypes doesn't work well if the canonical index is too large. Fixed: 344608204 (cherry picked from commit 422cdc5eddcadb53b8eafb099722fb211a35739e) Change-Id: Id281d6a38e8f2c64c42352f2d3dd3df54e289525 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5625825 Auto-Submit: Jakob Kummerow Commit-Queue: Jakob Kummerow Reviewed-by: Matthias Liedtke Commit-Queue: Matthias Liedtke Cr-Commit-Position: refs/branch-heads/12.6@{#30} Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2} Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835} diff --git a/src/wasm/canonical-types.cc b/src/wasm/canonical-types.cc index b45a40a5da9c772623471dbc11fb45242d2053d0..7c6a4072f15d3dbb073bd1fe4760cf6ae92e4985 100644 --- a/src/wasm/canonical-types.cc +++ b/src/wasm/canonical-types.cc @@ -4,6 +4,7 @@ #include "src/wasm/canonical-types.h" +#include "src/init/v8.h" #include "src/wasm/std-object-sizes.h" #include "src/wasm/wasm-engine.h" @@ -20,6 +21,19 @@ TypeCanonicalizer::TypeCanonicalizer() { AddPredefinedArrayType(kPredefinedArrayI16Index, kWasmI16); } +// We currently store canonical indices in {ValueType} instances, so they +// must fit into the range of valid module-relative (non-canonical) type +// indices. +// TODO(jkummerow): Raise this limit, to make long-lived WasmEngines scale +// better. Plan: stop constructing ValueTypes from canonical type indices. +static constexpr size_t kMaxCanonicalTypes = kV8MaxWasmTypes; + +void TypeCanonicalizer::CheckMaxCanonicalIndex() const { + if (canonical_supertypes_.size() > kMaxCanonicalTypes) { + V8::FatalProcessOutOfMemory(nullptr, "too many canonicalized types"); + } +} + void TypeCanonicalizer::AddRecursiveGroup(WasmModule* module, uint32_t size) { AddRecursiveGroup(module, size, static_cast(module->types.size() - size)); @@ -60,6 +74,7 @@ void TypeCanonicalizer::AddRecursiveGroup(WasmModule* module, uint32_t size, uint32_t first_canonical_index = static_cast(canonical_supertypes_.size()); canonical_supertypes_.resize(first_canonical_index + size); + CheckMaxCanonicalIndex(); for (uint32_t i = 0; i < size; i++) { CanonicalType& canonical_type = group.types[i]; // Compute the canonical index of the supertype: If it is relative, we @@ -106,6 +121,7 @@ void TypeCanonicalizer::AddRecursiveSingletonGroup(WasmModule* module, uint32_t first_canonical_index = static_cast(canonical_supertypes_.size()); canonical_supertypes_.resize(first_canonical_index + 1); + CheckMaxCanonicalIndex(); CanonicalType& canonical_type = group.type; // Compute the canonical index of the supertype: If it is relative, we // need to add {first_canonical_index}. @@ -151,6 +167,7 @@ uint32_t TypeCanonicalizer::AddRecursiveGroup(const FunctionSig* sig) { group.type.is_relative_supertype = false; canonical_singleton_groups_.emplace(group, canonical_index); canonical_supertypes_.emplace_back(kNoSuperType); + CheckMaxCanonicalIndex(); return canonical_index; } @@ -167,6 +184,7 @@ void TypeCanonicalizer::AddPredefinedArrayType(uint32_t index, group.type.is_relative_supertype = false; canonical_singleton_groups_.emplace(group, index); canonical_supertypes_.emplace_back(kNoSuperType); + DCHECK_LE(canonical_supertypes_.size(), kMaxCanonicalTypes); } ValueType TypeCanonicalizer::CanonicalizeValueType( diff --git a/src/wasm/canonical-types.h b/src/wasm/canonical-types.h index e2b65e5a35030781b59abdd0f7aebe105754c1f3..c5dd6e8bf156908f6080f16234b7a24d1042f026 100644 --- a/src/wasm/canonical-types.h +++ b/src/wasm/canonical-types.h @@ -164,6 +164,8 @@ class TypeCanonicalizer { ValueType CanonicalizeValueType(const WasmModule* module, ValueType type, uint32_t recursive_group_start) const; + void CheckMaxCanonicalIndex() const; + std::vector canonical_supertypes_; // Maps groups of size >=2 to the canonical id of the first type. std::unordered_map>