Add jit support for x64 load and store index out of bounds

Out of bound memory access in Wasm traps. Code to insert relevant checks
and error is added in the interpreter and jit.

Wasm provides an offset + index addressing mode for memory accesses. We
represent this using an int64 to address problems with wrapping due to
overflow.

Also new opcode LdArrViewElemWasm is added specially for wasm since we
cannot use LdArrViewElem of AsmJs which is side-effect free.

Author: Meghana Gupta

lib/Backend/IRBuilderAsmJs.cpp

@@ -1426,7 +1426,8 @@ IRBuilderAsmJs::BuildAsmTypedArr(Js::OpCodeAsmJs newOpcode, uint32 offset, uint3
 {
     IRType type = TyInt32;
     bool isLd = newOpcode == Js::OpCodeAsmJs::LdArr || newOpcode == Js::OpCodeAsmJs::LdArrWasm || newOpcode == Js::OpCodeAsmJs::LdArrConst;
-    Js::OpCode op = isLd ? Js::OpCode::LdArrViewElem : Js::OpCode::StArrViewElem;
+    Js::OpCode op = isLd ? (this->m_func->GetJITFunctionBody()->IsWasmFunction() ?
+        Js::OpCode::LdArrViewElemWasm : Js::OpCode::LdArrViewElem) : Js::OpCode::StArrViewElem;
     ValueType arrayType;
     WAsmJs::Types valueRegType = WAsmJs::INT32;
 
@@ -1494,7 +1495,7 @@ IRBuilderAsmJs::BuildAsmTypedArr(Js::OpCodeAsmJs newOpcode, uint32 offset, uint3
     IR::IndirOpnd * indirOpnd = nullptr;
 
     // Get the index
-    if (newOpcode == Js::OpCodeAsmJs::LdArr || newOpcode == Js::OpCodeAsmJs::StArr || newOpcode == Js::OpCodeAsmJs::LdArrWasm || newOpcode == Js::OpCodeAsmJs::StArrWasm)
+    if (newOpcode == Js::OpCodeAsmJs::LdArr || newOpcode == Js::OpCodeAsmJs::StArr)
     {
         uint32 mask = Js::ArrayBufferView::ViewMask[viewType];
         Js::RegSlot indexRegSlot = GetRegSlotFromIntReg(slotIndex);
@@ -1512,6 +1513,13 @@ IRBuilderAsmJs::BuildAsmTypedArr(Js::OpCodeAsmJs newOpcode, uint32 offset, uint3
         indirOpnd = IR::IndirOpnd::New(BuildSrcOpnd(AsmJsRegSlots::BufferReg, TyVar), maskedOpnd, type, m_func);
         indirOpnd->GetBaseOpnd()->SetValueType(arrayType);
     }
+    else if (newOpcode == Js::OpCodeAsmJs::LdArrWasm || newOpcode == Js::OpCodeAsmJs::StArrWasm)
+    {
+        Js::RegSlot indexRegSlot = GetRegSlotFromInt64Reg(slotIndex);
+        IR::RegOpnd * maskedOpnd = BuildSrcOpnd(indexRegSlot, TyUint64);
+        indirOpnd = IR::IndirOpnd::New(BuildSrcOpnd(AsmJsRegSlots::BufferReg, TyVar), maskedOpnd, type, m_func);
+        indirOpnd->GetBaseOpnd()->SetValueType(arrayType);
+    }
     else
     {
         Assert(newOpcode == Js::OpCodeAsmJs::LdArrConst || newOpcode == Js::OpCodeAsmJs::StArrConst);
@@ -1552,6 +1560,11 @@ IRBuilderAsmJs::BuildAsmTypedArr(Js::OpCodeAsmJs newOpcode, uint32 offset, uint3
 
 #if _M_IX86 || !_WIN32
     instr->SetSrc2(BuildSrcOpnd(AsmJsRegSlots::LengthReg, TyUint32));
+#else
+    if (this->m_func->GetJITFunctionBody()->IsWasmFunction())
+    {
+        instr->SetSrc2(BuildSrcOpnd(AsmJsRegSlots::LengthReg, TyUint32));
+    }
 #endif
     AddInstr(instr, offset);
 }
@@ -3108,11 +3121,11 @@ IRBuilderAsmJs::BuildLong1Int1(Js::OpCodeAsmJs newOpcode, uint32 offset, Js::Reg
     IR::RegOpnd * srcOpnd = nullptr;
     switch (newOpcode)
     {
-    case Js::OpCodeAsmJs::Conv_ITD:
+    case Js::OpCodeAsmJs::Conv_ITL:
         srcOpnd = BuildSrcOpnd(srcRegSlot, TyInt32);
         break;
 
-    case Js::OpCodeAsmJs::Conv_UTD:
+    case Js::OpCodeAsmJs::Conv_UTL:
         srcOpnd = BuildSrcOpnd(srcRegSlot, TyUint32);
         break;
 

lib/Backend/Lower.cpp

@@ -1559,6 +1559,10 @@ Lowerer::LowerRange(IR::Instr *instrStart, IR::Instr *instrEnd, bool defaultDoFa
             instrPrev = LowerStArrViewElem(instr);
             break;
 
+        case Js::OpCode::LdArrViewElemWasm:
+            instrPrev = LowerLdArrViewElemWasm(instr);
+            break;
+
         case Js::OpCode::Memset:
         case Js::OpCode::Memcopy:
         {
@@ -1914,6 +1918,21 @@ Lowerer::LowerRange(IR::Instr *instrStart, IR::Instr *instrEnd, bool defaultDoFa
                     m_lowererMD.EmitFloat32ToFloat64(instr->GetDst(), instr->GetSrc1(), instr);
                 }
             }
+            else if (instr->GetDst()->IsInt64())
+            {
+                if (instr->GetSrc1()->IsInt32())
+                {
+                    m_lowererMD.EmitIntToLong(instr->GetDst(), instr->GetSrc1(), instr);
+                }
+                else if (instr->GetSrc1()->IsUInt32())
+                {
+                    m_lowererMD.EmitUIntToLong(instr->GetDst(), instr->GetSrc1(), instr);
+                }
+                else
+                {
+                    Assert(0);
+                }
+            }
             else
             {
                 Assert(instr->GetDst()->IsInt32());
@@ -8870,6 +8889,44 @@ Lowerer::LowerLdArrViewElem(IR::Instr * instr)
 #endif
 }
 
+IR::Instr *
+Lowerer::LowerLdArrViewElemWasm(IR::Instr * instr)
+{
+#ifdef ASMJS_PLAT
+    Assert(m_func->GetJITFunctionBody()->IsWasmFunction());
+    Assert(instr);
+    Assert(instr->m_opcode == Js::OpCode::LdArrViewElemWasm);
+
+    IR::Instr * instrPrev = instr->m_prev;
+
+    IR::Opnd * dst = instr->GetDst();
+    IR::Opnd * src1 = instr->GetSrc1();
+
+    IR::Instr * done;
+
+    Assert(!dst->IsFloat32() || src1->IsFloat32());
+    Assert(!dst->IsFloat64() || src1->IsFloat64());
+    done = m_lowererMD.LowerWasmMemOp(instr, src1);
+
+    if (dst->IsInt64())
+    {
+        IR::Instr* movInt64 = IR::Instr::New(Js::OpCode::Ld_I4, dst, src1, m_func);
+        done->InsertBefore(movInt64);
+        m_lowererMD.LowerInt64Assign(movInt64);
+    }
+    else
+    {
+        InsertMove(dst, src1, done);
+    }
+
+    instr->Remove();
+    return instrPrev;
+#else
+    Assert(UNREACHED);
+    return instr;
+#endif
+}
+
 IR::Instr *
 Lowerer::LowerMemset(IR::Instr * instr, IR::RegOpnd * helperRet)
 {
@@ -9045,7 +9102,12 @@ Lowerer::LowerStArrViewElem(IR::Instr * instr)
     Assert(!dst->IsInt64() || src1->IsInt64());
 
     IR::Instr * done;
-    if (indexOpnd || m_func->GetJITFunctionBody()->GetAsmJsInfo()->AccessNeedsBoundCheck((uint32)dst->AsIndirOpnd()->GetOffset()))
+
+    if (m_func->GetJITFunctionBody()->IsWasmFunction())
+    {
+        done = m_lowererMD.LowerWasmMemOp(instr, dst);
+    }
+    else if (indexOpnd || m_func->GetJITFunctionBody()->GetAsmJsInfo()->AccessNeedsBoundCheck((uint32)dst->AsIndirOpnd()->GetOffset()))
     {
         // CMP indexOpnd, src2(arrSize)
         // JA $helper
@@ -9055,7 +9117,6 @@ Lowerer::LowerStArrViewElem(IR::Instr * instr)
         // $store:
         // MOV dst([arrayBuffer + indexOpnd]), src1
         // $done:
-
         done = m_lowererMD.LowerAsmJsStElemHelper(instr);
     }
     else

lib/Backend/Lower.h

@@ -174,6 +174,7 @@ class Lowerer
 
     IR::Instr *     LowerLdArrViewElem(IR::Instr * instr);
     IR::Instr *     LowerStArrViewElem(IR::Instr * instr);
+    IR::Instr *     LowerLdArrViewElemWasm(IR::Instr * instr);
     IR::Instr *     LowerArrayDetachedCheck(IR::Instr * instr);
     IR::Instr *     LowerDeleteElemI(IR::Instr *instr, bool strictMode);
     IR::Instr *     LowerStElemC(IR::Instr *instr);

lib/Backend/LowerMDShared.cpp

@@ -267,6 +267,12 @@ LowererMD::LowerAsmJsCallE(IR::Instr * callInstr)
     return this->lowererMDArch.LowerAsmJsCallE(callInstr);
 }
 
+IR::Instr *
+LowererMD::LowerWasmMemOp(IR::Instr * instr, IR::Opnd *addrOpnd)
+{
+    return this->lowererMDArch.LowerWasmMemOp(instr, addrOpnd);
+}
+
 IR::Instr *
 LowererMD::LowerAsmJsLdElemHelper(IR::Instr * callInstr)
 {
@@ -7899,6 +7905,18 @@ LowererMD::EmitUIntToFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
     this->lowererMDArch.EmitUIntToFloat(dst, src, instrInsert);
 }
 
+void
+LowererMD::EmitIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
+{
+    this->lowererMDArch.EmitIntToLong(dst, src, instrInsert);
+}
+
+void
+LowererMD::EmitUIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
+{
+    this->lowererMDArch.EmitUIntToLong(dst, src, instrInsert);
+}
+
 void
 LowererMD::EmitFloat32ToFloat64(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
 {

lib/Backend/LowerMDShared.h

@@ -104,6 +104,7 @@ class LowererMD
             IR::Instr *     LoadFunctionObjectOpnd(IR::Instr *instr, IR::Opnd *&functionObjOpnd);
             IR::Instr *     LowerLdSuper(IR::Instr *instr, IR::JnHelperMethod helperOpCode);
             IR::Instr *     LowerNewScObject(IR::Instr *newObjInstr);
+            IR::Instr *     LowerWasmMemOp(IR::Instr *instr, IR::Opnd *addrOpnd);
             void            ForceDstToReg(IR::Instr *instr);
 
 public:
@@ -208,6 +209,8 @@ class LowererMD
             bool            EmitLoadInt32(IR::Instr *instr, bool conversionFromObjectAllowed);
             void            EmitIntToFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
             void            EmitUIntToFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
+            void            EmitIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
+            void            EmitUIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
             void            EmitFloatToInt(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
             void            EmitFloat32ToFloat64(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
             static IR::Instr *InsertConvertFloat64ToInt32(const RoundMode roundMode, IR::Opnd *const dst, IR::Opnd *const src, IR::Instr *const insertBeforeInstr);

lib/Backend/amd64/LowererMDArch.cpp

@@ -1117,6 +1117,30 @@ LowererMDArch::LowerAsmJsCallI(IR::Instr * callInstr)
     return ret;
 }
 
+IR::Instr *
+LowererMDArch::LowerWasmMemOp(IR::Instr * instr, IR::Opnd *addrOpnd)
+{
+    Assert(instr->GetSrc2());
+
+    IR::LabelInstr * helperLabel = Lowerer::InsertLabel(true, instr);
+    IR::LabelInstr * loadLabel = Lowerer::InsertLabel(false, instr);
+    IR::LabelInstr * doneLabel = Lowerer::InsertLabel(false, instr);
+
+    // Find array buffer length
+    IR::RegOpnd * indexOpnd = addrOpnd->AsIndirOpnd()->GetIndexOpnd();
+    IR::Opnd *arrayLenOpnd = instr->GetSrc2();
+
+    // Compare index + memop access length and array buffer length, and generate RuntimeError if greater
+    IR::Opnd *cmpOpnd = IR::RegOpnd::New(TyUint64, m_func);
+    Lowerer::InsertAdd(true, cmpOpnd, indexOpnd, IR::IntConstOpnd::New(addrOpnd->GetSize(), TyUint64, m_func), helperLabel);
+    lowererMD->m_lowerer->InsertCompareBranch(cmpOpnd, arrayLenOpnd, Js::OpCode::BrGt_A, true, helperLabel, helperLabel);
+
+    // MGTODO : call RuntimeError once implemented
+    lowererMD->m_lowerer->GenerateRuntimeError(loadLabel, JSERR_InvalidTypedArrayIndex, IR::HelperOp_RuntimeRangeError);
+    Lowerer::InsertBranch(Js::OpCode::Br, loadLabel, helperLabel);
+    return doneLabel;
+}
+
 IR::Instr*
 LowererMDArch::LowerAsmJsLdElemHelper(IR::Instr * instr, bool isSimdLoad /*= false*/, bool checkEndOffset /*= false*/)
 {
@@ -2541,6 +2565,36 @@ LowererMDArch::EmitIntToFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInse
     }
 }
 
+void
+LowererMDArch::EmitIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
+{
+    Assert(dst->IsRegOpnd() && dst->IsInt64());
+    Assert(src->IsInt32());
+
+    if (src->IsIntConstOpnd())
+    {
+        Lowerer::InsertMove(dst, src, instrInsert);
+        return;
+    }
+    Assert(src->IsRegOpnd());
+    instrInsert->InsertBefore(IR::Instr::New(Js::OpCode::MOVSXD, dst, src, this->m_func));
+}
+
+void
+LowererMDArch::EmitUIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
+{
+    Assert(dst->IsRegOpnd() && dst->IsInt64());
+    Assert(src->IsUInt32());
+
+    if (src->IsIntConstOpnd())
+    {
+        Lowerer::InsertMove(dst, src, instrInsert);
+        return;
+    }
+    Assert(src->IsRegOpnd());
+    instrInsert->InsertBefore(IR::Instr::New(Js::OpCode::MOV, dst, src, this->m_func));
+}
+
 void
 LowererMDArch::EmitUIntToFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
 {

lib/Backend/amd64/LowererMDArch.h

@@ -69,7 +69,7 @@ class LowererMDArch
     IR::Instr *         LowerStartCall(IR::Instr * instr);
     IR::Instr *         LowerAsmJsCallI(IR::Instr * callInstr);
     IR::Instr *         LowerAsmJsCallE(IR::Instr * callInstr);
-
+    IR::Instr *         LowerWasmMemOp(IR::Instr * instr, IR::Opnd *addrOpnd);
     IR::Instr *         LowerAsmJsLdElemHelper(IR::Instr * instr, bool isSimdLoad = false, bool checkEndOffset = false);
     IR::Instr *         LowerAsmJsStElemHelper(IR::Instr * instr, bool isSimdStore = false, bool checkEndOffset = false);
 
@@ -94,6 +94,8 @@ class LowererMDArch
     void                EmitLoadVar(IR::Instr *instrLoad, bool isFromUint32 = false, bool isHelper = false);
     void                EmitIntToFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
     void                EmitUIntToFloat(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
+    void                EmitIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
+    void                EmitUIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
     bool                EmitLoadInt32(IR::Instr *instrLoad, bool conversionFromObjectAllowed);
 
     IR::Instr *         LoadCheckedFloat(IR::RegOpnd *opndOrig, IR::RegOpnd *opndFloat, IR::LabelInstr *labelInline, IR::LabelInstr *labelHelper, IR::Instr *instrInsert, const bool checkForNullInLoopBody = false);

lib/Backend/arm/LowerMD.cpp

@@ -8842,6 +8842,18 @@ void LowererMD::ConvertFloatToInt32(IR::Opnd* intOpnd, IR::Opnd* floatOpnd, IR::
     this->CheckOverflowOnFloatToInt32(instrInsert, intOpnd, labelHelper, labelDone);
 }
 
+void
+LowererMD::EmitIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
+{
+    Assert(UNREACHED);
+}
+
+void
+LowererMD::EmitUIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert)
+{
+    Assert(UNREACHED);
+}
+
 void
 LowererMD::CheckOverflowOnFloatToInt32(IR::Instr* instrInsert, IR::Opnd* intOpnd, IR::LabelInstr * labelHelper, IR::LabelInstr * labelDone)
 {

lib/Backend/arm/LowerMD.h

@@ -205,6 +205,8 @@ class LowererMD
             void                EmitFloatToInt(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
             void                EmitFloat32ToFloat64(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert) { Assert(UNREACHED); }
             static IR::Instr *  InsertConvertFloat64ToInt32(const RoundMode roundMode, IR::Opnd *const dst, IR::Opnd *const src, IR::Instr *const insertBeforeInstr);
+            void                EmitIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
+            void                EmitUIntToLong(IR::Opnd *dst, IR::Opnd *src, IR::Instr *instrInsert);
             void                EmitLoadFloatFromNumber(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr);
             IR::LabelInstr*     EmitLoadFloatCommon(IR::Opnd *dst, IR::Opnd *src, IR::Instr *insertInstr, bool needHelperLabel);
             static IR::Instr *  LoadFloatZero(IR::Opnd * opndDst, IR::Instr * instrInsert);