427b4aa273
* chore: [30-x-y] cherry-pick 3 changes from 1-M126 * 8b400f9b7d66 from v8 * ba6cab40612d from v8 * 93c3cf1c787f from DirectXShaderCompiler * chore: update patches --------- Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
98 lines
4.4 KiB
Diff
98 lines
4.4 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Jakob Kummerow <jkummerow@chromium.org>
|
|
Date: Thu, 6 Jun 2024 16:44:37 +0200
|
|
Subject: Merged: [wasm] Enforce maximum number of canonicalized types
|
|
|
|
Storing canonical indices in ValueTypes doesn't work well if the
|
|
canonical index is too large.
|
|
|
|
Fixed: 344608204
|
|
(cherry picked from commit 422cdc5eddcadb53b8eafb099722fb211a35739e)
|
|
|
|
Change-Id: Id281d6a38e8f2c64c42352f2d3dd3df54e289525
|
|
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5625825
|
|
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
|
|
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
|
|
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
|
|
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
|
|
Cr-Commit-Position: refs/branch-heads/12.6@{#30}
|
|
Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
|
|
Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
|
|
|
|
diff --git a/src/wasm/canonical-types.cc b/src/wasm/canonical-types.cc
|
|
index b45a40a5da9c772623471dbc11fb45242d2053d0..7c6a4072f15d3dbb073bd1fe4760cf6ae92e4985 100644
|
|
--- a/src/wasm/canonical-types.cc
|
|
+++ b/src/wasm/canonical-types.cc
|
|
@@ -4,6 +4,7 @@
|
|
|
|
#include "src/wasm/canonical-types.h"
|
|
|
|
+#include "src/init/v8.h"
|
|
#include "src/wasm/std-object-sizes.h"
|
|
#include "src/wasm/wasm-engine.h"
|
|
|
|
@@ -20,6 +21,19 @@ TypeCanonicalizer::TypeCanonicalizer() {
|
|
AddPredefinedArrayType(kPredefinedArrayI16Index, kWasmI16);
|
|
}
|
|
|
|
+// We currently store canonical indices in {ValueType} instances, so they
|
|
+// must fit into the range of valid module-relative (non-canonical) type
|
|
+// indices.
|
|
+// TODO(jkummerow): Raise this limit, to make long-lived WasmEngines scale
|
|
+// better. Plan: stop constructing ValueTypes from canonical type indices.
|
|
+static constexpr size_t kMaxCanonicalTypes = kV8MaxWasmTypes;
|
|
+
|
|
+void TypeCanonicalizer::CheckMaxCanonicalIndex() const {
|
|
+ if (canonical_supertypes_.size() > kMaxCanonicalTypes) {
|
|
+ V8::FatalProcessOutOfMemory(nullptr, "too many canonicalized types");
|
|
+ }
|
|
+}
|
|
+
|
|
void TypeCanonicalizer::AddRecursiveGroup(WasmModule* module, uint32_t size) {
|
|
AddRecursiveGroup(module, size,
|
|
static_cast<uint32_t>(module->types.size() - size));
|
|
@@ -60,6 +74,7 @@ void TypeCanonicalizer::AddRecursiveGroup(WasmModule* module, uint32_t size,
|
|
uint32_t first_canonical_index =
|
|
static_cast<uint32_t>(canonical_supertypes_.size());
|
|
canonical_supertypes_.resize(first_canonical_index + size);
|
|
+ CheckMaxCanonicalIndex();
|
|
for (uint32_t i = 0; i < size; i++) {
|
|
CanonicalType& canonical_type = group.types[i];
|
|
// Compute the canonical index of the supertype: If it is relative, we
|
|
@@ -106,6 +121,7 @@ void TypeCanonicalizer::AddRecursiveSingletonGroup(WasmModule* module,
|
|
uint32_t first_canonical_index =
|
|
static_cast<uint32_t>(canonical_supertypes_.size());
|
|
canonical_supertypes_.resize(first_canonical_index + 1);
|
|
+ CheckMaxCanonicalIndex();
|
|
CanonicalType& canonical_type = group.type;
|
|
// Compute the canonical index of the supertype: If it is relative, we
|
|
// need to add {first_canonical_index}.
|
|
@@ -151,6 +167,7 @@ uint32_t TypeCanonicalizer::AddRecursiveGroup(const FunctionSig* sig) {
|
|
group.type.is_relative_supertype = false;
|
|
canonical_singleton_groups_.emplace(group, canonical_index);
|
|
canonical_supertypes_.emplace_back(kNoSuperType);
|
|
+ CheckMaxCanonicalIndex();
|
|
return canonical_index;
|
|
}
|
|
|
|
@@ -167,6 +184,7 @@ void TypeCanonicalizer::AddPredefinedArrayType(uint32_t index,
|
|
group.type.is_relative_supertype = false;
|
|
canonical_singleton_groups_.emplace(group, index);
|
|
canonical_supertypes_.emplace_back(kNoSuperType);
|
|
+ DCHECK_LE(canonical_supertypes_.size(), kMaxCanonicalTypes);
|
|
}
|
|
|
|
ValueType TypeCanonicalizer::CanonicalizeValueType(
|
|
diff --git a/src/wasm/canonical-types.h b/src/wasm/canonical-types.h
|
|
index e2b65e5a35030781b59abdd0f7aebe105754c1f3..c5dd6e8bf156908f6080f16234b7a24d1042f026 100644
|
|
--- a/src/wasm/canonical-types.h
|
|
+++ b/src/wasm/canonical-types.h
|
|
@@ -164,6 +164,8 @@ class TypeCanonicalizer {
|
|
ValueType CanonicalizeValueType(const WasmModule* module, ValueType type,
|
|
uint32_t recursive_group_start) const;
|
|
|
|
+ void CheckMaxCanonicalIndex() const;
|
|
+
|
|
std::vector<uint32_t> canonical_supertypes_;
|
|
// Maps groups of size >=2 to the canonical id of the first type.
|
|
std::unordered_map<CanonicalGroup, uint32_t, base::hash<CanonicalGroup>>
|