Comments (4)
SAFE_HEAP will integer overflow when checking pointers at the very end of the heap
The JS version of this looks ok, as it's on JS Numbers, so it's in 53 bits of precision:
emscripten/src/runtime_safe_heap.js
Line 46 in cb0d16c
The wasm version emits stuff like this:
(func $SAFE_HEAP_LOAD_i32_1_1 (param $0 i32) (param $1 i32) (result i32)
(local $2 i32)
(local.set $2
(i32.add
(local.get $0)
(local.get $1)
)
)
(if
(i32.or
(i32.eq
(local.get $2)
(i32.const 0)
)
(i32.gt_u
(i32.add
(local.get $2)
(i32.const 1)
)
(i32.load
(call $emscripten_get_sbrk_ptr)
)
)
)
(then
(call $segfault)
)
)
(i32.load8_s
(local.get $2)
)
)
So that first add can indeed overflow, good catch. We need an extra check before that add, in Binaryen's SafeHeap pass.
from emscripten.
IIUC SAFE_HEAP
always check based on your MAXIMUM_MEMORY
setting? Are you running into this issue in your code? If so can you share what setting you using for INITIAL_MEMORY
and MAXIMUM_MEMORY
.
Presumably another solution to this would be use treat all address as unsigned (e.g. by doing >>> 0
prior to the check).
from emscripten.
It looks like we already treat address as unsigned in CAN_ADDRESS_2GB
mode:
emscripten/src/runtime_safe_heap.js
Lines 28 to 30 in 0c47091
Perhaps we should just make this unconditional?
I guess that means you are not in CAN_ADDRESS_2GB
mode (i.e. you didn't specify a MAX or over 2gb)?
from emscripten.
Can you try this fix: #21560
from emscripten.
Related Issues (20)
- Did 3.1.56 get mis-tagged? HOT 2
- Link time slowdown in an optimized build HOT 10
- Memory corruption/segfault with MINIMAL_RUNTIME + std::thread + thread_local variables
- [request] standalone version of file_packager.py HOT 17
- Update llvm libraries to 18.1.1 HOT 4
- ubsan.test_longjmp_zero is failing HOT 2
- Using UTF8ToString with Wasm64 HOT 4
- loading-workers error HOT 2
- emprofile generates an HTML with a syntax error HOT 1
- WebGPU: Missing enumeration(s) in WGPUBlendFactor compared to Dawn HOT 1
- Uncaught TypeError: Failed to execute 'uniform4fv' on 'WebGL2RenderingContext': Overload resolution failed. HOT 9
- /dev/zero is missing HOT 1
- undefined symbol `__cpp_exception` without enabled exceptions HOT 2
- emscripten_dlopen fails on Safari HOT 12
- std::vector<MyBoundType> returns UnboundTypeError HOT 5
- Crashes / misexecutions or miscompilations with growable memory and atomics HOT 37
- dlopen + pthreads with FS not working HOT 1
- CGAL freezes on boolean operations HOT 1
- WebSerial not getting enough time to write to SerialPort HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from emscripten.