Fix trapping and dangling insts in memory packing (#2540)

aheejin · web-flow · commit 0048f5b004dd · 2019-12-19T02:43:52.000-08:00
This does two things: - Restore `visitDataDrop` handler deleted in #2529, but now we convert invalid `data.drop`s to not `unreachable` but `nop`. This conforms to the revised spec that `data.drop` on the active segment can be treated as a nop. - Make `visitMemoryInit` trap if offset or size are not equal to 0 or if the dest address is out of bounds. Otherwise drop all its argument. Fixes #2535.
diff --git a/src/passes/MemoryPacking.cpp b/src/passes/MemoryPacking.cpp
@@ -135,10 +135,20 @@ struct MemoryPacking : public Pass {
       void visitMemoryInit(MemoryInit* curr) {
         if (!getModule()->memory.segments[curr->segment].isPassive) {
           Builder builder(*getModule());
-          replaceCurrent(builder.blockify(builder.makeDrop(curr->dest),
-                                          builder.makeDrop(curr->offset),
-                                          builder.makeDrop(curr->size),
-                                          builder.makeUnreachable()));
+          // trap if (dest > memory.size | offset | size) != 0
+          replaceCurrent(builder.makeIf(
+            builder.makeBinary(
+              OrInt32,
+              builder.makeBinary(
+                GtUInt32, curr->dest, builder.makeHost(MemorySize, Name(), {})),
+              builder.makeBinary(OrInt32, curr->offset, curr->size)),
+            builder.makeUnreachable()));
+          changed = true;
+        }
+      }
+      void visitDataDrop(DataDrop* curr) {
+        if (!getModule()->memory.segments[curr->segment].isPassive) {
+          ExpressionManipulator::nop(curr);
           changed = true;
         }
       }
diff --git a/test/passes/memory-packing_all-features.txt b/test/passes/memory-packing_all-features.txt
@@ -22,15 +22,26 @@
  (type $none_=>_none (func))
  (memory $0 1 1)
  (func $foo (; 0 ;)
-  (drop
-   (i32.const 0)
-  )
-  (drop
-   (i32.const 0)
+  (if
+   (i32.or
+    (i32.gt_u
+     (i32.const 0)
+     (memory.size)
+    )
+    (i32.or
+     (i32.const 0)
+     (i32.const 0)
+    )
+   )
+   (unreachable)
   )
+ )
+ (func $bar (; 1 ;)
   (drop
-   (i32.const 0)
+   (loop $loop-in (result i32)
+    (nop)
+    (i32.const 42)
+   )
   )
-  (unreachable)
  )
 )
diff --git a/test/passes/memory-packing_all-features.wast b/test/passes/memory-packing_all-features.wast
@@ -27,4 +27,12 @@
    (i32.const 0)
   )
  )
+ (func $bar
+  (drop
+   (loop (result i32)
+    (data.drop 0)
+    (i32.const 42)
+   )
+  )
+ )
 )

Original file line number	Diff line number	Diff line change
`@@ -27,4 +27,12 @@`
`27`	`27`	`(i32.const 0)`
`28`	`28`	`)`
`29`	`29`	`)`
	`30`	`+ (func $bar`
	`31`	`+ (drop`
	`32`	`+ (loop (result i32)`
	`33`	`+ (data.drop 0)`
	`34`	`+ (i32.const 42)`
	`35`	`+ )`
	`36`	`+ )`
	`37`	`+ )`
`30`	`38`	`)`