Wasmtime GitHub notifications bot (Oct 31 2022 at 22:43): Wasmtime GitHub notifications bot (Oct 31 2022 at 22:43):jameysharp labeled issue #5163:
The
sumandcalculate_addrfunctions incranelift/interpreter/src/step.rs, and theget_heap_addressandheap_addressandvalidate_addressfunctions onInterpreterState, are too general in some ways and not general enough in others.In #5155 @afonso360 discovered that
calculate_addresswas being called incorrectly in the interpreter's implementation ofheap_addr. It was passed theimm(), which for that instruction is the size to validate, along with the dynamic offset. So the returned address started immediately _after_ the memory region it was supposed to return. Since that function exists solely to 1) convert values to a specified type and 2) sum them, an instruction where there's only one operand doesn't really need that.The only two other uses of
calculate_addresspass a constant type (I64), so the value conversion is more general than necessary. And they always pass an array of exactly one value, so the iterators and generalized sums are also more general than necessary.Meanwhile, the
sumhelper used incalculate_addressis also used instack_load,stack_store, andstack_addr, but nowhere else. It seems like anycalculate_address-style helper that's useful for calculating heap offsets should work for stack instructions too. So in that sense apparentlycalculate_addressis _less_ general than necessary. Regardless, I'd like to seesumdeleted since there are always exactly two operands.There's very little difference between
get_heap_addressandheap_address, except the latter is in theStatetrait and the former is an inherent method onInterpreterStatespecifically. Perhaps we could merge those? Sinceheap_addressis only called from the implementation of theheap_addrinstruction andget_heap_addressis only called from tests, I suspect changing their signatures shouldn't be hard.Calling
heap_addresstwice, once to check the upper bound and a second time to get the actual address, isn't really necessary. We can and should check whether any of the address computation additions overflow; that definitely indicates invalid addresses. But only the upper bound needs to get checked against the heap size; if that check passes without overflow, the start address is definitely safe. So I thinkheap_addressshould be passed the width, so it can askvalidate_addressto check the start address plus width.The interpreter currently does not check for overflow, as far as I can tell, since
Value::addis implemented usingwrapping_add.
validate_addresshas cases for both heap and stack addresses, but is only ever called with heap addresses. (Fromget_heap_addressandheap_address, specifically.) It might be useful to actually use it with stack addresses.None of this is urgent; it'd just be nice for future maintenance.
Wasmtime GitHub notifications bot (Oct 31 2022 at 22:43):jameysharp opened issue #5163:
The
sumandcalculate_addrfunctions incranelift/interpreter/src/step.rs, and theget_heap_addressandheap_addressandvalidate_addressfunctions onInterpreterState, are too general in some ways and not general enough in others.In #5155 @afonso360 discovered that
calculate_addresswas being called incorrectly in the interpreter's implementation ofheap_addr. It was passed theimm(), which for that instruction is the size to validate, along with the dynamic offset. So the returned address started immediately _after_ the memory region it was supposed to return. Since that function exists solely to 1) convert values to a specified type and 2) sum them, an instruction where there's only one operand doesn't really need that.The only two other uses of
calculate_addresspass a constant type (I64), so the value conversion is more general than necessary. And they always pass an array of exactly one value, so the iterators and generalized sums are also more general than necessary.Meanwhile, the
sumhelper used incalculate_addressis also used instack_load,stack_store, andstack_addr, but nowhere else. It seems like anycalculate_address-style helper that's useful for calculating heap offsets should work for stack instructions too. So in that sense apparentlycalculate_addressis _less_ general than necessary. Regardless, I'd like to seesumdeleted since there are always exactly two operands.There's very little difference between
get_heap_addressandheap_address, except the latter is in theStatetrait and the former is an inherent method onInterpreterStatespecifically. Perhaps we could merge those? Sinceheap_addressis only called from the implementation of theheap_addrinstruction andget_heap_addressis only called from tests, I suspect changing their signatures shouldn't be hard.Calling
heap_addresstwice, once to check the upper bound and a second time to get the actual address, isn't really necessary. We can and should check whether any of the address computation additions overflow; that definitely indicates invalid addresses. But only the upper bound needs to get checked against the heap size; if that check passes without overflow, the start address is definitely safe. So I thinkheap_addressshould be passed the width, so it can askvalidate_addressto check the start address plus width.The interpreter currently does not check for overflow, as far as I can tell, since
Value::addis implemented usingwrapping_add.
validate_addresshas cases for both heap and stack addresses, but is only ever called with heap addresses. (Fromget_heap_addressandheap_address, specifically.) It might be useful to actually use it with stack addresses.None of this is urgent; it'd just be nice for future maintenance.
Wasmtime GitHub notifications bot (Mar 29 2023 at 17:31):jameysharp commented on issue #5163:
After #5386 removed heaps from Cranelift, all of the heap-address helpers are now gone and
validate_addressis not called anywhere. So some of this issue has become irrelevant but now there's more to clean up.Some of this might also become irrelevant with #5793.
Last updated: Dec 13 2025 at 19:03 UTC