Closed jezell closed 1 week ago
IIUC SAFE_HEAP
always check based on your MAXIMUM_MEMORY
setting? Are you running into this issue in your code? If so can you share what setting you using for INITIAL_MEMORY
and MAXIMUM_MEMORY
.
Presumably another solution to this would be use treat all address as unsigned (e.g. by doing >>> 0
prior to the check).
It looks like we already treat address as unsigned in CAN_ADDRESS_2GB
mode:
Perhaps we should just make this unconditional?
I guess that means you are not in CAN_ADDRESS_2GB
mode (i.e. you didn't specify a MAX or over 2gb)?
Can you try this fix: https://github.com/emscripten-core/emscripten/pull/21560
SAFE_HEAP will integer overflow when checking pointers at the very end of the heap
The JS version of this looks ok, as it's on JS Numbers, so it's in 53 bits of precision:
The wasm version emits stuff like this:
(func $SAFE_HEAP_LOAD_i32_1_1 (param $0 i32) (param $1 i32) (result i32)
(local $2 i32)
(local.set $2
(i32.add
(local.get $0)
(local.get $1)
)
)
(if
(i32.or
(i32.eq
(local.get $2)
(i32.const 0)
)
(i32.gt_u
(i32.add
(local.get $2)
(i32.const 1)
)
(i32.load
(call $emscripten_get_sbrk_ptr)
)
)
)
(then
(call $segfault)
)
)
(i32.load8_s
(local.get $2)
)
)
So that first add can indeed overflow, good catch. We need an extra check before that add, in Binaryen's SafeHeap pass.
When allow memory growth and SAFE_HEAP are enabled, SAFE_HEAP will integer overflow when checking pointers at the very end of the heap causing all checks at the end of the heap to improperly fail due to seeing a negative number in the comparison.