jameysharp labeled issue #5163:
The
sum
andcalculate_addr
functions incranelift/interpreter/src/step.rs
, and theget_heap_address
andheap_address
andvalidate_address
functions onInterpreterState
, are too general in some ways and not general enough in others.In #5155 @afonso360 discovered that
calculate_address
was being called incorrectly in the interpreter's implementation ofheap_addr
. It was passed theimm()
, which for that instruction is the size to validate, along with the dynamic offset. So the returned address started immediately _after_ the memory region it was supposed to return. Since that function exists solely to 1) convert values to a specified type and 2) sum them, an instruction where there's only one operand doesn't really need that.The only two other uses of
calculate_address
pass a constant type (I64
), so the value conversion is more general than necessary. And they always pass an array of exactly one value, so the iterators and generalized sums are also more general than necessary.Meanwhile, the
sum
helper used incalculate_address
is also used instack_load
,stack_store
, andstack_addr
, but nowhere else. It seems like anycalculate_address
-style helper that's useful for calculating heap offsets should work for stack instructions too. So in that sense apparentlycalculate_address
is _less_ general than necessary. Regardless, I'd like to seesum
deleted since there are always exactly two operands.There's very little difference between
get_heap_address
andheap_address
, except the latter is in theState
trait and the former is an inherent method onInterpreterState
specifically. Perhaps we could merge those? Sinceheap_address
is only called from the implementation of theheap_addr
instruction andget_heap_address
is only called from tests, I suspect changing their signatures shouldn't be hard.Calling
heap_address
twice, once to check the upper bound and a second time to get the actual address, isn't really necessary. We can and should check whether any of the address computation additions overflow; that definitely indicates invalid addresses. But only the upper bound needs to get checked against the heap size; if that check passes without overflow, the start address is definitely safe. So I thinkheap_address
should be passed the width, so it can askvalidate_address
to check the start address plus width.The interpreter currently does not check for overflow, as far as I can tell, since
Value::add
is implemented usingwrapping_add
.
validate_address
has cases for both heap and stack addresses, but is only ever called with heap addresses. (Fromget_heap_address
andheap_address
, specifically.) It might be useful to actually use it with stack addresses.None of this is urgent; it'd just be nice for future maintenance.
jameysharp opened issue #5163:
The
sum
andcalculate_addr
functions incranelift/interpreter/src/step.rs
, and theget_heap_address
andheap_address
andvalidate_address
functions onInterpreterState
, are too general in some ways and not general enough in others.In #5155 @afonso360 discovered that
calculate_address
was being called incorrectly in the interpreter's implementation ofheap_addr
. It was passed theimm()
, which for that instruction is the size to validate, along with the dynamic offset. So the returned address started immediately _after_ the memory region it was supposed to return. Since that function exists solely to 1) convert values to a specified type and 2) sum them, an instruction where there's only one operand doesn't really need that.The only two other uses of
calculate_address
pass a constant type (I64
), so the value conversion is more general than necessary. And they always pass an array of exactly one value, so the iterators and generalized sums are also more general than necessary.Meanwhile, the
sum
helper used incalculate_address
is also used instack_load
,stack_store
, andstack_addr
, but nowhere else. It seems like anycalculate_address
-style helper that's useful for calculating heap offsets should work for stack instructions too. So in that sense apparentlycalculate_address
is _less_ general than necessary. Regardless, I'd like to seesum
deleted since there are always exactly two operands.There's very little difference between
get_heap_address
andheap_address
, except the latter is in theState
trait and the former is an inherent method onInterpreterState
specifically. Perhaps we could merge those? Sinceheap_address
is only called from the implementation of theheap_addr
instruction andget_heap_address
is only called from tests, I suspect changing their signatures shouldn't be hard.Calling
heap_address
twice, once to check the upper bound and a second time to get the actual address, isn't really necessary. We can and should check whether any of the address computation additions overflow; that definitely indicates invalid addresses. But only the upper bound needs to get checked against the heap size; if that check passes without overflow, the start address is definitely safe. So I thinkheap_address
should be passed the width, so it can askvalidate_address
to check the start address plus width.The interpreter currently does not check for overflow, as far as I can tell, since
Value::add
is implemented usingwrapping_add
.
validate_address
has cases for both heap and stack addresses, but is only ever called with heap addresses. (Fromget_heap_address
andheap_address
, specifically.) It might be useful to actually use it with stack addresses.None of this is urgent; it'd just be nice for future maintenance.
jameysharp commented on issue #5163:
After #5386 removed heaps from Cranelift, all of the heap-address helpers are now gone and
validate_address
is not called anywhere. So some of this issue has become irrelevant but now there's more to clean up.Some of this might also become irrelevant with #5793.
Last updated: Dec 23 2024 at 13:07 UTC