Cranelift: Make heap_addr return calculated base + index + offset (#5231)
* Cranelift: Make `heap_addr` return calculated `base + index + offset`
Rather than return just the `base + index`.
(Note: I've chosen to use the nomenclature "index" for the dynamic operand and
"offset" for the static immediate.)
This move the addition of the `offset` into `heap_addr`, instead of leaving it
for the subsequent memory operation, so that we can Spectre-guard the full
address, and not allow speculative execution to read the first 4GiB of memory.
Before this commit, we were effectively doing
load(spectre_guard(base + index) + offset)
Now we are effectively doing
load(spectre_guard(base + index + offset))
Finally, this also corrects `heap_addr`'s documented semantics to say that it
returns an address that will trap on access if `index + offset + access_size` is
out of bounds for the given heap, rather than saying that the `heap_addr` itself
will trap. This matches the implemented behavior for static memories, and after
https://github.com/bytecodealliance/wasmtime/pull/5190 lands (which is blocked
on this commit) will also match the implemented behavior for dynamic memories.
* Update heap_addr docs
* Factor out `offset + size` to a helper
This commit is contained in:
Nick Fitzgerald
22
cranelift/codegen/meta/src/shared/instructions.rs
Normal file → Executable file
22
cranelift/codegen/meta/src/shared/instructions.rs
Normal file → Executable file
@@ -1128,26 +1128,30 @@ pub(crate) fn define(
|
||||
);
|
||||
|
||||
let H = &Operand::new("H", &entities.heap);
|
||||
let p = &Operand::new("p", HeapOffset);
|
||||
let Size = &Operand::new("Size", &imm.uimm32).with_doc("Size in bytes");
|
||||
let index = &Operand::new("index", HeapOffset);
|
||||
let Offset = &Operand::new("Offset", &imm.uimm32).with_doc("Static offset immediate in bytes");
|
||||
let Size = &Operand::new("Size", &imm.uimm8).with_doc("Static size immediate in bytes");
|
||||
|
||||
ig.push(
|
||||
Inst::new(
|
||||
"heap_addr",
|
||||
r#"
|
||||
Bounds check and compute absolute address of heap memory.
|
||||
Bounds check and compute absolute address of ``index + Offset`` in heap memory.
|
||||
|
||||
Verify that the offset range ``p .. p + Size - 1`` is in bounds for the
|
||||
heap H, and generate an absolute address that is safe to dereference.
|
||||
Verify that the range ``index .. index + Offset + Size`` is in bounds for the
|
||||
heap ``H``, and generate an absolute address that is safe to dereference.
|
||||
|
||||
1. If ``p + Size`` is not greater than the heap bound, return an
|
||||
absolute address corresponding to a byte offset of ``p`` from the
|
||||
1. If ``index + Offset + Size`` is less than or equal ot the heap bound, return an
|
||||
absolute address corresponding to a byte offset of ``index + Offset`` from the
|
||||
heap's base address.
|
||||
2. If ``p + Size`` is greater than the heap bound, generate a trap.
|
||||
|
||||
2. If ``index + Offset + Size`` is greater than the heap bound, return the
|
||||
``NULL`` pointer or any other address that is guaranteed to generate a trap
|
||||
when accessed.
|
||||
"#,
|
||||
&formats.heap_addr,
|
||||
)
|
||||
.operands_in(vec![H, p, Size])
|
||||
.operands_in(vec![H, index, Offset, Size])
|
||||
.operands_out(vec![addr]),
|
||||
);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user