Stream: git-wasmtime

Topic: wasmtime / PR #2463 x64 backend: fix condition-code used ...


view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 07:35):

cfallin opened PR #2463 (assigned to bnjbvr) from fix-heap-bounds-check-x64 to main:

A dynamic heap address computation may create up to two conditional
branches: the usual bounds-check, but also (in some cases) an
offset-addition overflow check.

The x64 backend had reversed the condition code for this check,
resulting in an always-trapping execution for a valid offset. I'm
somewhat surprised this has existed so long, but I suppose the
particular conditions (large offset, small offset guard, dynamic heap)
have been somewhat rare in our testing so far.

Found via fuzzing in #2453.

<!--

Please ensure that the following steps are all taken care of before submitting
the PR.

Please ensure all communication adheres to the code of conduct.
-->

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 07:35):

cfallin assigned PR #2463 to bnjbvr.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 07:35):

cfallin assigned PR #2463 to bnjbvr.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 08:07):

cfallin requested bnjbvr and julian-seward1 for a review on PR #2463.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 08:07):

cfallin requested bnjbvr and julian-seward1 for a review on PR #2463.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 08:07):

cfallin unassigned PR #2463 to bnjbvr.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 08:07):

cfallin unassigned PR #2463.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 15:32):

bnjbvr submitted PR Review.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 15:32):

bnjbvr submitted PR Review.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 15:32):

bnjbvr created PR Review Comment:

I think the initial comment was correct since the intent of this function is to return the condition code used when there is an unsigned overflow, but what the function returned was not correct (my bad!).

Confirming the reasoning:

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 15:32):

bnjbvr created PR Review Comment:

Ditto re: comment was correct here too.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 17:40):

cfallin updated PR #2463 from fix-heap-bounds-check-x64 to main:

A dynamic heap address computation may create up to two conditional
branches: the usual bounds-check, but also (in some cases) an
offset-addition overflow check.

The x64 backend had reversed the condition code for this check,
resulting in an always-trapping execution for a valid offset. I'm
somewhat surprised this has existed so long, but I suppose the
particular conditions (large offset, small offset guard, dynamic heap)
have been somewhat rare in our testing so far.

Found via fuzzing in #2453.

<!--

Please ensure that the following steps are all taken care of before submitting
the PR.

Please ensure all communication adheres to the code of conduct.
-->

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 17:42):

cfallin submitted PR Review.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 17:42):

cfallin created PR Review Comment:

It took me far too long staring at this (very thorough, thank you!) sequence of steps to internalize it; yes, you're right, and the key bit is that overflow -> carry set -> B / ult. Thanks, updated comment!

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 17:42):

cfallin submitted PR Review.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 17:42):

cfallin created PR Review Comment:

Updated!

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 18:41):

cfallin updated PR #2463 from fix-heap-bounds-check-x64 to main:

A dynamic heap address computation may create up to two conditional
branches: the usual bounds-check, but also (in some cases) an
offset-addition overflow check.

The x64 backend had reversed the condition code for this check,
resulting in an always-trapping execution for a valid offset. I'm
somewhat surprised this has existed so long, but I suppose the
particular conditions (large offset, small offset guard, dynamic heap)
have been somewhat rare in our testing so far.

Found via fuzzing in #2453.

<!--

Please ensure that the following steps are all taken care of before submitting
the PR.

Please ensure all communication adheres to the code of conduct.
-->

view this post on Zulip Wasmtime GitHub notifications bot (Dec 02 2020 at 19:24):

cfallin merged PR #2463.


Last updated: Dec 23 2024 at 12:05 UTC