Path: blob/main/crates/cranelift/src/bounds_checks.rs
1691 views
//! Implementation of Wasm to CLIF memory access translation.1//!2//! Given3//!4//! * a dynamic Wasm memory index operand,5//! * a static offset immediate, and6//! * a static access size,7//!8//! bounds check the memory access and translate it into a native memory access.9//!10//! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11//! !!! !!!12//! !!! THIS CODE IS VERY SUBTLE, HAS MANY SPECIAL CASES, AND IS ALSO !!!13//! !!! ABSOLUTELY CRITICAL FOR MAINTAINING THE SAFETY OF THE WASM HEAP !!!14//! !!! SANDBOX. !!!15//! !!! !!!16//! !!! A good rule of thumb is to get two reviews on any substantive !!!17//! !!! changes in here. !!!18//! !!! !!!19//! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!2021use crate::{22Reachability,23func_environ::FuncEnvironment,24translate::{HeapData, TargetEnvironment},25};26use Reachability::*;27use cranelift_codegen::{28cursor::{Cursor, FuncCursor},29ir::{self, InstBuilder, RelSourceLoc, condcodes::IntCC},30ir::{Expr, Fact},31};32use cranelift_frontend::FunctionBuilder;3334/// The kind of bounds check to perform when accessing a Wasm linear memory or35/// GC heap.36///37/// Prefer `BoundsCheck::*WholeObject` over `BoundsCheck::Field` when possible,38/// as that approach allows the mid-end to deduplicate bounds checks across39/// multiple accesses to the same GC object.40#[derive(Debug)]41pub enum BoundsCheck {42/// Check that this one access in particular is in bounds:43///44/// ```ignore45/// index + offset + access_size <= bound46/// ```47StaticOffset { offset: u32, access_size: u8 },4849/// Assuming the precondition `offset + access_size <= object_size`, check50/// that this whole object is in bounds:51///52/// ```ignore53/// index + object_size <= bound54/// ```55#[cfg(feature = "gc")]56StaticObjectField {57offset: u32,58access_size: u8,59object_size: u32,60},6162/// Like `StaticWholeObject` but with dynamic offset and object size.63///64/// It is *your* responsibility to ensure that the `offset + access_size <=65/// object_size` precondition holds.66#[cfg(feature = "gc")]67DynamicObjectField {68offset: ir::Value,69object_size: ir::Value,70},71}7273/// Helper used to emit bounds checks (as necessary) and compute the native74/// address of a heap access.75///76/// Returns the `ir::Value` holding the native address of the heap access, or77/// `Reachability::Unreachable` if the heap access will unconditionally trap and78/// any subsequent code in this basic block is unreachable.79pub fn bounds_check_and_compute_addr(80builder: &mut FunctionBuilder,81env: &mut FuncEnvironment<'_>,82heap: &HeapData,83index: ir::Value,84bounds_check: BoundsCheck,85trap: ir::TrapCode,86) -> Reachability<ir::Value> {87match bounds_check {88BoundsCheck::StaticOffset {89offset,90access_size,91} => bounds_check_field_access(builder, env, heap, index, offset, access_size, trap),9293#[cfg(feature = "gc")]94BoundsCheck::StaticObjectField {95offset,96access_size,97object_size,98} => {99// Assert that the precondition holds.100let offset_and_access_size = offset.checked_add(access_size.into()).unwrap();101assert!(offset_and_access_size <= object_size);102103// When we can, pretend that we are doing one big access of the104// whole object all at once. This enables better GVN for repeated105// accesses of the same object.106if let Ok(object_size) = u8::try_from(object_size) {107let obj_ptr = match bounds_check_field_access(108builder,109env,110heap,111index,1120,113object_size,114trap,115) {116Reachable(v) => v,117u @ Unreachable => return u,118};119let offset = builder.ins().iconst(env.pointer_type(), i64::from(offset));120let field_ptr = builder.ins().iadd(obj_ptr, offset);121return Reachable(field_ptr);122}123124// Otherwise, bounds check just this one field's access.125bounds_check_field_access(builder, env, heap, index, offset, access_size, trap)126}127128// Compute the index of the end of the object, bounds check that and get129// a pointer to just after the object, and then reverse offset from that130// to get the pointer to the field being accessed.131#[cfg(feature = "gc")]132BoundsCheck::DynamicObjectField {133offset,134object_size,135} => {136assert_eq!(heap.index_type(), ir::types::I32);137assert_eq!(builder.func.dfg.value_type(index), ir::types::I32);138assert_eq!(builder.func.dfg.value_type(offset), ir::types::I32);139assert_eq!(builder.func.dfg.value_type(object_size), ir::types::I32);140141let index_and_object_size = builder.ins().uadd_overflow_trap(index, object_size, trap);142let ptr_just_after_obj = match bounds_check_field_access(143builder,144env,145heap,146index_and_object_size,1470,1480,149trap,150) {151Reachable(v) => v,152u @ Unreachable => return u,153};154155let backwards_offset = builder.ins().isub(object_size, offset);156let backwards_offset = cast_index_to_pointer_ty(157backwards_offset,158ir::types::I32,159env.pointer_type(),160false,161&mut builder.cursor(),162trap,163);164165let field_ptr = builder.ins().isub(ptr_just_after_obj, backwards_offset);166Reachable(field_ptr)167}168}169}170171fn bounds_check_field_access(172builder: &mut FunctionBuilder,173env: &mut FuncEnvironment<'_>,174heap: &HeapData,175index: ir::Value,176offset: u32,177access_size: u8,178trap: ir::TrapCode,179) -> Reachability<ir::Value> {180let pointer_bit_width = u16::try_from(env.pointer_type().bits()).unwrap();181let bound_gv = heap.bound;182let orig_index = index;183let clif_memory_traps_enabled = env.clif_memory_traps_enabled();184let spectre_mitigations_enabled =185env.heap_access_spectre_mitigation() && clif_memory_traps_enabled;186let pcc = env.proof_carrying_code();187188let host_page_size_log2 = env.target_config().page_size_align_log2;189let can_use_virtual_memory = heap190.memory191.can_use_virtual_memory(env.tunables(), host_page_size_log2)192&& clif_memory_traps_enabled;193let can_elide_bounds_check = heap194.memory195.can_elide_bounds_check(env.tunables(), host_page_size_log2)196&& clif_memory_traps_enabled;197let memory_guard_size = env.tunables().memory_guard_size;198let memory_reservation = env.tunables().memory_reservation;199200let offset_and_size = offset_plus_size(offset, access_size);201let statically_in_bounds = statically_in_bounds(&builder.func, heap, index, offset_and_size);202203let index = cast_index_to_pointer_ty(204index,205heap.index_type(),206env.pointer_type(),207heap.pcc_memory_type.is_some(),208&mut builder.cursor(),209trap,210);211212let oob_behavior = if spectre_mitigations_enabled {213OobBehavior::ConditionallyLoadFromZero {214select_spectre_guard: true,215}216} else if env.load_from_zero_allowed() {217OobBehavior::ConditionallyLoadFromZero {218select_spectre_guard: false,219}220} else {221OobBehavior::ExplicitTrap222};223224let make_compare = |builder: &mut FunctionBuilder,225compare_kind: IntCC,226lhs: ir::Value,227lhs_off: Option<i64>,228rhs: ir::Value,229rhs_off: Option<i64>| {230let result = builder.ins().icmp(compare_kind, lhs, rhs);231if pcc {232// Name the original value as a def of the SSA value;233// if the value was extended, name that as well with a234// dynamic range, overwriting the basic full-range235// fact that we previously put on the uextend.236builder.func.dfg.facts[orig_index] = Some(Fact::Def { value: orig_index });237if index != orig_index {238builder.func.dfg.facts[index] = Some(Fact::value(pointer_bit_width, orig_index));239}240241// Create a fact on the LHS that is a "trivial symbolic242// fact": v1 has range v1+LHS_off..=v1+LHS_off243builder.func.dfg.facts[lhs] = Some(Fact::value_offset(244pointer_bit_width,245orig_index,246lhs_off.unwrap(),247));248// If the RHS is a symbolic value (v1 or gv1), we can249// emit a Compare fact.250if let Some(rhs) = builder.func.dfg.facts[rhs]251.as_ref()252.and_then(|f| f.as_symbol())253{254builder.func.dfg.facts[result] = Some(Fact::Compare {255kind: compare_kind,256lhs: Expr::offset(&Expr::value(orig_index), lhs_off.unwrap()).unwrap(),257rhs: Expr::offset(rhs, rhs_off.unwrap()).unwrap(),258});259}260// Likewise, if the RHS is a constant, we can emit a261// Compare fact.262if let Some(k) = builder.func.dfg.facts[rhs]263.as_ref()264.and_then(|f| f.as_const(pointer_bit_width))265{266builder.func.dfg.facts[result] = Some(Fact::Compare {267kind: compare_kind,268lhs: Expr::offset(&Expr::value(orig_index), lhs_off.unwrap()).unwrap(),269rhs: Expr::constant((k as i64).checked_add(rhs_off.unwrap()).unwrap()),270});271}272}273result274};275276// We need to emit code that will trap (or compute an address that will trap277// when accessed) if278//279// index + offset + access_size > bound280//281// or if the `index + offset + access_size` addition overflows.282//283// Note that we ultimately want a 64-bit integer (we only target 64-bit284// architectures at the moment) and that `offset` is a `u32` and285// `access_size` is a `u8`. This means that we can add the latter together286// as `u64`s without fear of overflow, and we only have to be concerned with287// whether adding in `index` will overflow.288//289// Finally, the following if/else chains do have a little290// bit of duplicated code across them, but I think writing it this way is291// worth it for readability and seeing very clearly each of our cases for292// different bounds checks and optimizations of those bounds checks. It is293// intentionally written in a straightforward case-matching style that will294// hopefully make it easy to port to ISLE one day.295if offset_and_size > heap.memory.maximum_byte_size().unwrap_or(u64::MAX) {296// Special case: trap immediately if `offset + access_size >297// max_memory_size`, since we will end up being out-of-bounds regardless298// of the given `index`.299env.before_unconditionally_trapping_memory_access(builder);300env.trap(builder, trap);301return Unreachable;302}303304// Special case: if this is a 32-bit platform and the `offset_and_size`305// overflows the 32-bit address space then there's no hope of this ever306// being in-bounds. We can't represent `offset_and_size` in CLIF as the307// native pointer type anyway, so this is an unconditional trap.308if pointer_bit_width < 64 && offset_and_size >= (1 << pointer_bit_width) {309env.before_unconditionally_trapping_memory_access(builder);310env.trap(builder, trap);311return Unreachable;312}313314// Special case for when we can completely omit explicit315// bounds checks for 32-bit memories.316//317// First, let's rewrite our comparison to move all of the constants318// to one side:319//320// index + offset + access_size > bound321// ==> index > bound - (offset + access_size)322//323// We know the subtraction on the right-hand side won't wrap because324// we didn't hit the unconditional trap case above.325//326// Additionally, we add our guard pages (if any) to the right-hand327// side, since we can rely on the virtual memory subsystem at runtime328// to catch out-of-bound accesses within the range `bound .. bound +329// guard_size`. So now we are dealing with330//331// index > bound + guard_size - (offset + access_size)332//333// Note that `bound + guard_size` cannot overflow for334// correctly-configured heaps, as otherwise the heap wouldn't fit in335// a 64-bit memory space.336//337// The complement of our should-this-trap comparison expression is338// the should-this-not-trap comparison expression:339//340// index <= bound + guard_size - (offset + access_size)341//342// If we know the right-hand side is greater than or equal to343// `u32::MAX`, then344//345// index <= u32::MAX <= bound + guard_size - (offset + access_size)346//347// This expression is always true when the heap is indexed with348// 32-bit integers because `index` cannot be larger than349// `u32::MAX`. This means that `index` is always either in bounds or350// within the guard page region, neither of which require emitting an351// explicit bounds check.352if can_elide_bounds_check353&& u64::from(u32::MAX) <= memory_reservation + memory_guard_size - offset_and_size354{355assert!(heap.index_type() == ir::types::I32);356assert!(357can_use_virtual_memory,358"static memories require the ability to use virtual memory"359);360return Reachable(compute_addr(361&mut builder.cursor(),362heap,363env.pointer_type(),364index,365offset,366AddrPcc::static32(heap.pcc_memory_type, memory_reservation + memory_guard_size),367));368}369370// Special case when the `index` is a constant and statically known to be371// in-bounds on this memory, no bounds checks necessary.372if statically_in_bounds {373return Reachable(compute_addr(374&mut builder.cursor(),375heap,376env.pointer_type(),377index,378offset,379AddrPcc::static32(heap.pcc_memory_type, memory_reservation + memory_guard_size),380));381}382383// Special case for when we can rely on virtual memory, the minimum384// byte size of this memory fits within the memory reservation, and385// memory isn't allowed to move. In this situation we know that386// memory will statically not grow beyond `memory_reservation` so we387// and we know that memory from 0 to that limit is guaranteed to be388// valid or trap. Here we effectively assume that the dynamic size389// of linear memory is its maximal value, `memory_reservation`, and390// we can avoid loading the actual length of memory.391//392// We have to explicitly test whether393//394// index > bound - (offset + access_size)395//396// and trap if so.397//398// Since we have to emit explicit bounds checks, we might as well be399// precise, not rely on the virtual memory subsystem at all, and not400// factor in the guard pages here.401if can_use_virtual_memory402&& heap.memory.minimum_byte_size().unwrap_or(u64::MAX) <= memory_reservation403&& !heap.memory.memory_may_move(env.tunables())404{405let adjusted_bound = memory_reservation.checked_sub(offset_and_size).unwrap();406let adjusted_bound_value = builder407.ins()408.iconst(env.pointer_type(), adjusted_bound as i64);409if pcc {410builder.func.dfg.facts[adjusted_bound_value] =411Some(Fact::constant(pointer_bit_width, adjusted_bound));412}413let oob = make_compare(414builder,415IntCC::UnsignedGreaterThan,416index,417Some(0),418adjusted_bound_value,419Some(0),420);421return Reachable(explicit_check_oob_condition_and_compute_addr(422env,423builder,424heap,425index,426offset,427access_size,428oob_behavior,429AddrPcc::static32(heap.pcc_memory_type, memory_reservation),430oob,431trap,432));433}434435// Special case for when `offset + access_size == 1`:436//437// index + 1 > bound438// ==> index >= bound439//440// Note that this special case is skipped for Pulley targets to assist with441// pattern-matching bounds checks into single instructions. Otherwise more442// patterns/instructions would have to be added to match this. In the end443// the goal is to emit one instruction anyway, so this optimization is444// largely only applicable for native platforms.445if offset_and_size == 1 && !env.is_pulley() {446let bound = get_dynamic_heap_bound(builder, env, heap);447let oob = make_compare(448builder,449IntCC::UnsignedGreaterThanOrEqual,450index,451Some(0),452bound,453Some(0),454);455return Reachable(explicit_check_oob_condition_and_compute_addr(456env,457builder,458heap,459index,460offset,461access_size,462oob_behavior,463AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),464oob,465trap,466));467}468469// Special case for when we know that there are enough guard470// pages to cover the offset and access size.471//472// The precise should-we-trap condition is473//474// index + offset + access_size > bound475//476// However, if we instead check only the partial condition477//478// index > bound479//480// then the most out of bounds that the access can be, while that481// partial check still succeeds, is `offset + access_size`.482//483// However, when we have a guard region that is at least as large as484// `offset + access_size`, we can rely on the virtual memory485// subsystem handling these out-of-bounds errors at486// runtime. Therefore, the partial `index > bound` check is487// sufficient for this heap configuration.488//489// Additionally, this has the advantage that a series of Wasm loads490// that use the same dynamic index operand but different static491// offset immediates -- which is a common code pattern when accessing492// multiple fields in the same struct that is in linear memory --493// will all emit the same `index > bound` check, which we can GVN.494if can_use_virtual_memory && offset_and_size <= memory_guard_size {495let bound = get_dynamic_heap_bound(builder, env, heap);496let oob = make_compare(497builder,498IntCC::UnsignedGreaterThan,499index,500Some(0),501bound,502Some(0),503);504return Reachable(explicit_check_oob_condition_and_compute_addr(505env,506builder,507heap,508index,509offset,510access_size,511oob_behavior,512AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),513oob,514trap,515));516}517518// Special case for when `offset + access_size <= min_size`.519//520// We know that `bound >= min_size`, so we can do the following521// comparison, without fear of the right-hand side wrapping around:522//523// index + offset + access_size > bound524// ==> index > bound - (offset + access_size)525if offset_and_size <= heap.memory.minimum_byte_size().unwrap_or(u64::MAX) {526let bound = get_dynamic_heap_bound(builder, env, heap);527let adjustment = offset_and_size as i64;528let adjustment_value = builder.ins().iconst(env.pointer_type(), adjustment);529if pcc {530builder.func.dfg.facts[adjustment_value] =531Some(Fact::constant(pointer_bit_width, offset_and_size));532}533let adjusted_bound = builder.ins().isub(bound, adjustment_value);534if pcc {535builder.func.dfg.facts[adjusted_bound] = Some(Fact::global_value_offset(536pointer_bit_width,537bound_gv,538-adjustment,539));540}541let oob = make_compare(542builder,543IntCC::UnsignedGreaterThan,544index,545Some(0),546adjusted_bound,547Some(adjustment),548);549return Reachable(explicit_check_oob_condition_and_compute_addr(550env,551builder,552heap,553index,554offset,555access_size,556oob_behavior,557AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),558oob,559trap,560));561}562563// General case for dynamic bounds checks:564//565// index + offset + access_size > bound566//567// And we have to handle the overflow case in the left-hand side.568let access_size_val = builder569.ins()570// Explicit cast from u64 to i64: we just want the raw571// bits, and iconst takes an `Imm64`.572.iconst(env.pointer_type(), offset_and_size as i64);573if pcc {574builder.func.dfg.facts[access_size_val] =575Some(Fact::constant(pointer_bit_width, offset_and_size));576}577let adjusted_index = env.uadd_overflow_trap(builder, index, access_size_val, trap);578if pcc {579builder.func.dfg.facts[adjusted_index] = Some(Fact::value_offset(580pointer_bit_width,581index,582i64::try_from(offset_and_size).unwrap(),583));584}585let bound = get_dynamic_heap_bound(builder, env, heap);586let oob = make_compare(587builder,588IntCC::UnsignedGreaterThan,589adjusted_index,590i64::try_from(offset_and_size).ok(),591bound,592Some(0),593);594Reachable(explicit_check_oob_condition_and_compute_addr(595env,596builder,597heap,598index,599offset,600access_size,601oob_behavior,602AddrPcc::dynamic(heap.pcc_memory_type, bound_gv),603oob,604trap,605))606}607608/// Get the bound of a dynamic heap as an `ir::Value`.609fn get_dynamic_heap_bound(610builder: &mut FunctionBuilder,611env: &mut FuncEnvironment<'_>,612heap: &HeapData,613) -> ir::Value {614let enable_pcc = heap.pcc_memory_type.is_some();615616let (value, gv) = match heap.memory.static_heap_size() {617// The heap has a constant size, no need to actually load the618// bound. TODO: this is currently disabled for PCC because we619// can't easily prove that the GV load indeed results in a620// constant (that information is lost in the CLIF). We'll want621// to create an `iconst` GV expression kind to reify this fact622// in the GV, then re-enable this opt. (Or, alternately,623// compile such memories with a static-bound memtype and624// facts.)625Some(max_size) if !enable_pcc => (626builder.ins().iconst(env.pointer_type(), max_size as i64),627heap.bound,628),629630// Load the heap bound from its global variable.631_ => (632builder.ins().global_value(env.pointer_type(), heap.bound),633heap.bound,634),635};636637// If proof-carrying code is enabled, apply a fact to the range to638// tie it to the GV.639if enable_pcc {640builder.func.dfg.facts[value] = Some(Fact::global_value(641u16::try_from(env.pointer_type().bits()).unwrap(),642gv,643));644}645646value647}648649fn cast_index_to_pointer_ty(650index: ir::Value,651index_ty: ir::Type,652pointer_ty: ir::Type,653pcc: bool,654pos: &mut FuncCursor,655trap: ir::TrapCode,656) -> ir::Value {657if index_ty == pointer_ty {658return index;659}660661// If the index size is larger than the pointer, that means that this is a662// 32-bit host platform with a 64-bit wasm linear memory. If the index is663// larger than 2**32 then that's guaranteed to be out-of-bounds, otherwise we664// `ireduce` the index.665//666// Also note that at this time this branch doesn't support pcc nor the667// value-label-ranges of the below path.668//669// Finally, note that the returned `low_bits` here are still subject to an670// explicit bounds check in wasm so in terms of Spectre speculation on671// either side of the `trapnz` should be ok.672if index_ty.bits() > pointer_ty.bits() {673assert_eq!(index_ty, ir::types::I64);674assert_eq!(pointer_ty, ir::types::I32);675let low_bits = pos.ins().ireduce(pointer_ty, index);676let c32 = pos.ins().iconst(pointer_ty, 32);677let high_bits = pos.ins().ushr(index, c32);678let high_bits = pos.ins().ireduce(pointer_ty, high_bits);679pos.ins().trapnz(high_bits, trap);680return low_bits;681}682683// Convert `index` to `addr_ty`.684let extended_index = pos.ins().uextend(pointer_ty, index);685686// Add a range fact on the extended value.687if pcc {688pos.func.dfg.facts[extended_index] = Some(Fact::max_range_for_width_extended(689u16::try_from(index_ty.bits()).unwrap(),690u16::try_from(pointer_ty.bits()).unwrap(),691));692}693694// Add debug value-label alias so that debuginfo can name the extended695// value as the address696let loc = pos.srcloc();697let loc = RelSourceLoc::from_base_offset(pos.func.params.base_srcloc(), loc);698pos.func699.stencil700.dfg701.add_value_label_alias(extended_index, loc, index);702703extended_index704}705706/// Which facts do we want to emit for proof-carrying code, if any, on707/// address computations?708#[derive(Clone, Copy, Debug)]709enum AddrPcc {710/// A 32-bit static memory with the given size.711Static32(ir::MemoryType, u64),712/// Dynamic bounds-check, with actual memory size (the `GlobalValue`)713/// expressed symbolically.714Dynamic(ir::MemoryType, ir::GlobalValue),715}716impl AddrPcc {717fn static32(memory_type: Option<ir::MemoryType>, size: u64) -> Option<Self> {718memory_type.map(|ty| AddrPcc::Static32(ty, size))719}720fn dynamic(memory_type: Option<ir::MemoryType>, bound: ir::GlobalValue) -> Option<Self> {721memory_type.map(|ty| AddrPcc::Dynamic(ty, bound))722}723}724725/// What to do on out-of-bounds for the726/// `explicit_check_oob_condition_and_compute_addr` function below.727enum OobBehavior {728/// An explicit `trapnz` instruction should be used.729ExplicitTrap,730/// A load from NULL should be issued if the address is out-of-bounds.731ConditionallyLoadFromZero {732/// Whether or not to use `select_spectre_guard` to choose the address733/// to load from. If `false` then a normal `select` is used.734select_spectre_guard: bool,735},736}737738/// Emit explicit checks on the given out-of-bounds condition for the Wasm739/// address and return the native address.740///741/// This function deduplicates explicit bounds checks and Spectre mitigations742/// that inherently also implement bounds checking.743fn explicit_check_oob_condition_and_compute_addr(744env: &mut FuncEnvironment<'_>,745builder: &mut FunctionBuilder,746heap: &HeapData,747index: ir::Value,748offset: u32,749access_size: u8,750oob_behavior: OobBehavior,751// Whether we're emitting PCC facts.752pcc: Option<AddrPcc>,753// The `i8` boolean value that is non-zero when the heap access is out of754// bounds (and therefore we should trap) and is zero when the heap access is755// in bounds (and therefore we can proceed).756oob_condition: ir::Value,757trap: ir::TrapCode,758) -> ir::Value {759if let OobBehavior::ExplicitTrap = oob_behavior {760env.trapnz(builder, oob_condition, trap);761}762let addr_ty = env.pointer_type();763764let mut addr = compute_addr(&mut builder.cursor(), heap, addr_ty, index, offset, pcc);765766if let OobBehavior::ConditionallyLoadFromZero {767select_spectre_guard,768} = oob_behavior769{770// These mitigations rely on trapping when loading from NULL so771// CLIF memory instruction traps must be allowed for this to be772// generated.773assert!(env.load_from_zero_allowed());774let null = builder.ins().iconst(addr_ty, 0);775addr = if select_spectre_guard {776builder777.ins()778.select_spectre_guard(oob_condition, null, addr)779} else {780builder.ins().select(oob_condition, null, addr)781};782783match pcc {784None => {}785Some(AddrPcc::Static32(ty, size)) => {786builder.func.dfg.facts[null] =787Some(Fact::constant(u16::try_from(addr_ty.bits()).unwrap(), 0));788builder.func.dfg.facts[addr] = Some(Fact::Mem {789ty,790min_offset: 0,791max_offset: size.checked_sub(u64::from(access_size)).unwrap(),792nullable: true,793});794}795Some(AddrPcc::Dynamic(ty, gv)) => {796builder.func.dfg.facts[null] =797Some(Fact::constant(u16::try_from(addr_ty.bits()).unwrap(), 0));798builder.func.dfg.facts[addr] = Some(Fact::DynamicMem {799ty,800min: Expr::constant(0),801max: Expr::offset(802&Expr::global_value(gv),803i64::try_from(env.tunables().memory_guard_size)804.unwrap()805.checked_sub(i64::from(access_size))806.unwrap(),807)808.unwrap(),809nullable: true,810});811}812}813}814815addr816}817818/// Emit code for the native address computation of a Wasm address,819/// without any bounds checks or overflow checks.820///821/// It is the caller's responsibility to ensure that any necessary bounds and822/// overflow checks are emitted, and that the resulting address is never used823/// unless they succeed.824fn compute_addr(825pos: &mut FuncCursor,826heap: &HeapData,827addr_ty: ir::Type,828index: ir::Value,829offset: u32,830pcc: Option<AddrPcc>,831) -> ir::Value {832debug_assert_eq!(pos.func.dfg.value_type(index), addr_ty);833834let heap_base = pos.ins().global_value(addr_ty, heap.base);835836match pcc {837None => {}838Some(AddrPcc::Static32(ty, _size)) => {839pos.func.dfg.facts[heap_base] = Some(Fact::Mem {840ty,841min_offset: 0,842max_offset: 0,843nullable: false,844});845}846Some(AddrPcc::Dynamic(ty, _limit)) => {847pos.func.dfg.facts[heap_base] = Some(Fact::dynamic_base_ptr(ty));848}849}850851let base_and_index = pos.ins().iadd(heap_base, index);852853match pcc {854None => {}855Some(AddrPcc::Static32(ty, _) | AddrPcc::Dynamic(ty, _)) => {856if let Some(idx) = pos.func.dfg.facts[index]857.as_ref()858.and_then(|f| f.as_symbol())859.cloned()860{861pos.func.dfg.facts[base_and_index] = Some(Fact::DynamicMem {862ty,863min: idx.clone(),864max: idx,865nullable: false,866});867} else {868pos.func.dfg.facts[base_and_index] = Some(Fact::Mem {869ty,870min_offset: 0,871max_offset: u64::from(u32::MAX),872nullable: false,873});874}875}876}877878if offset == 0 {879base_and_index880} else {881// NB: The addition of the offset immediate must happen *before* the882// `select_spectre_guard`, if any. If it happens after, then we883// potentially are letting speculative execution read the whole first884// 4GiB of memory.885let offset_val = pos.ins().iconst(addr_ty, i64::from(offset));886887if pcc.is_some() {888pos.func.dfg.facts[offset_val] = Some(Fact::constant(889u16::try_from(addr_ty.bits()).unwrap(),890u64::from(offset),891));892}893894let result = pos.ins().iadd(base_and_index, offset_val);895896match pcc {897None => {}898Some(AddrPcc::Static32(ty, _) | AddrPcc::Dynamic(ty, _)) => {899if let Some(idx) = pos.func.dfg.facts[index]900.as_ref()901.and_then(|f| f.as_symbol())902{903pos.func.dfg.facts[result] = Some(Fact::DynamicMem {904ty,905min: idx.clone(),906// Safety: adding an offset to an expression with907// zero offset -- add cannot wrap, so `unwrap()`908// cannot fail.909max: Expr::offset(idx, i64::from(offset)).unwrap(),910nullable: false,911});912} else {913pos.func.dfg.facts[result] = Some(Fact::Mem {914ty,915min_offset: u64::from(offset),916// Safety: can't overflow -- two u32s summed in a917// 64-bit add. TODO: when memory64 is supported here,918// `u32::MAX` is no longer true, and we'll need to919// handle overflow here.920max_offset: u64::from(u32::MAX) + u64::from(offset),921nullable: false,922});923}924}925}926result927}928}929930#[inline]931fn offset_plus_size(offset: u32, size: u8) -> u64 {932// Cannot overflow because we are widening to `u64`.933offset as u64 + size as u64934}935936/// Returns whether `index` is statically in-bounds with respect to this937/// `heap`'s configuration.938///939/// This is `true` when `index` is a constant and when the offset/size are added940/// in it's all still less than the minimum byte size of the heap.941///942/// The `offset_and_size` here are the static offset that was listed on the wasm943/// instruction plus the size of the access being made.944fn statically_in_bounds(945func: &ir::Function,946heap: &HeapData,947index: ir::Value,948offset_and_size: u64,949) -> bool {950func.dfg951.value_def(index)952.inst()953.and_then(|i| {954let imm = match func.dfg.insts[i] {955ir::InstructionData::UnaryImm {956opcode: ir::Opcode::Iconst,957imm,958} => imm,959_ => return None,960};961let ty = func.dfg.value_type(index);962let index = imm.zero_extend_from_width(ty.bits()).bits().cast_unsigned();963let final_addr = index.checked_add(offset_and_size)?;964Some(final_addr <= heap.memory.minimum_byte_size().unwrap_or(u64::MAX))965})966.unwrap_or(false)967}968969970