fc62d4ad65
* Cranelift: Make `heap_addr` return calculated `base + index + offset`
Rather than return just the `base + index`.
(Note: I've chosen to use the nomenclature "index" for the dynamic operand and
"offset" for the static immediate.)
This move the addition of the `offset` into `heap_addr`, instead of leaving it
for the subsequent memory operation, so that we can Spectre-guard the full
address, and not allow speculative execution to read the first 4GiB of memory.
Before this commit, we were effectively doing
load(spectre_guard(base + index) + offset)
Now we are effectively doing
load(spectre_guard(base + index + offset))
Finally, this also corrects `heap_addr`'s documented semantics to say that it
returns an address that will trap on access if `index + offset + access_size` is
out of bounds for the given heap, rather than saying that the `heap_addr` itself
will trap. This matches the implemented behavior for static memories, and after
https://github.com/bytecodealliance/wasmtime/pull/5190 lands (which is blocked
on this commit) will also match the implemented behavior for dynamic memories.
* Update heap_addr docs
* Factor out `offset + size` to a helper
25 lines
638 B
Plaintext
25 lines
638 B
Plaintext
test interpret
|
|
test run
|
|
target x86_64
|
|
target s390x
|
|
target aarch64
|
|
target riscv64
|
|
|
|
; Store a value in the heap using `heap_addr` and load it using `global_value`
|
|
function %store_load(i64 vmctx, i64, i32) -> i32 {
|
|
gv0 = vmctx
|
|
gv1 = load.i64 notrap aligned gv0+0
|
|
heap0 = static gv1, min 0x1000, bound 0x1_0000_0000, offset_guard 0, index_type i64
|
|
|
|
block0(v0: i64, v1: i64, v2: i32):
|
|
v3 = heap_addr.i64 heap0, v1, 0, 0
|
|
store.i32 v2, v3
|
|
|
|
v4 = global_value.i64 gv1
|
|
v5 = load.i32 v4
|
|
return v5
|
|
}
|
|
; heap: static, size=0x1000, ptr=vmctx+0, bound=vmctx+8
|
|
; run: %store_load(0, 1) == 1
|
|
; run: %store_load(0, -1) == -1
|