[wasm] Protected instructions not registered after deserialization |
||
Issue description
We seem to fail to register protected instructions (for the trap handler) after deserialization of wasm modules.
Reproducer:
============================================================
function GenerateSerializedModule() {
const builder = new WasmModuleBuilder();
builder.addMemory(1, 1);
builder.addFunction('main', kSig_i_i)
.addBody([kExprGetLocal, 0, kExprI32LoadMem, 0, 0])
.exportFunc();
const wire_bytes = builder.toBuffer();
const module = new WebAssembly.Module(wire_bytes);
const buffer = %SerializeWasmModule(module);
return [wire_bytes, buffer];
}
const [wire_bytes, buffer] = GenerateSerializedModule();
module = %DeserializeWasmModule(buffer, wire_bytes);
const instance = new WebAssembly.Instance(module);
instance.exports.main(kPageSize - 3);
============================================================
This results in a segfault. It's not a security bug, since we reliably get a segfault instead of the wasm trap.
Bisects to fffa33179d4105c5661f9d47d66bbb54fa9e4ad1 ([wasm] Register and release protected instructions only once). In that CL, we skipped registering protected instructions at instantiation, and forgot to add it in the deserialization path.
,
Jun 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/37ca8c3d2d7884d959a34b07249d7b5227f5670f commit 37ca8c3d2d7884d959a34b07249d7b5227f5670f Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Jun 28 13:02:34 2018 [wasm] Remove friendship between NativeModule and (de)serializer This CL removes the friendship between {NativeModule} and {NativeModuleSerializer}/{NativeModuleDeserializer}. Instead, it adds a new public method ({AddDeserializedCode}) which is being called from the deserializer. Drive-by: Unify the argument order to {AddCode}, {AddOwnedCode} and {WasmCode}. R=mstarzinger@chromium.org Bug: chromium:856938 Change-Id: I88943c90c45650e21ae6bc17395a17f86319c046 Reviewed-on: https://chromium-review.googlesource.com/1117075 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#54084} [modify] https://crrev.com/37ca8c3d2d7884d959a34b07249d7b5227f5670f/src/compiler/pipeline.cc [modify] https://crrev.com/37ca8c3d2d7884d959a34b07249d7b5227f5670f/src/wasm/baseline/liftoff-compiler.cc [modify] https://crrev.com/37ca8c3d2d7884d959a34b07249d7b5227f5670f/src/wasm/wasm-code-manager.cc [modify] https://crrev.com/37ca8c3d2d7884d959a34b07249d7b5227f5670f/src/wasm/wasm-code-manager.h [modify] https://crrev.com/37ca8c3d2d7884d959a34b07249d7b5227f5670f/src/wasm/wasm-serialization.cc [modify] https://crrev.com/37ca8c3d2d7884d959a34b07249d7b5227f5670f/test/cctest/wasm/test-run-wasm.cc [modify] https://crrev.com/37ca8c3d2d7884d959a34b07249d7b5227f5670f/test/unittests/wasm/wasm-code-manager-unittest.cc
,
Jun 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/15428f19f2dc0af9631db93dd96787017d86a850 commit 15428f19f2dc0af9631db93dd96787017d86a850 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Jun 28 13:06:45 2018 [wasm] Register protected instructions after deserialization R=mstarzinger@chromium.org Bug: chromium:856938 Change-Id: I57699de23b5c35a531c7601fd14a91f075abb0da Reviewed-on: https://chromium-review.googlesource.com/1117182 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#54085} [modify] https://crrev.com/15428f19f2dc0af9631db93dd96787017d86a850/src/wasm/wasm-code-manager.cc [modify] https://crrev.com/15428f19f2dc0af9631db93dd96787017d86a850/test/mjsunit/wasm/compiled-module-serialization.js
,
Jun 28 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by bugdroid1@chromium.org
, Jun 27 2018