evanw/polywasm

edge case access to detached `ArrayBuffer`

zamfofex opened this issue · 2 comments

This library will sometimes generate code that looks something like this:

c.dv.getInt32((t2 = (f[256]())), 1)

If the function f[256] happens to grow the memory, this code will be incorrect, because c.dv has already been evaluated, and will refer to the previous DataView, whose ArrayBuffer has already been (explicitly) detached in f[256].

For that particular case, a correctly‐generated code might look something like this:

(t2 = f[256](), c.dv.getInt32(t2, 1))

This way, c.dv will only be evaluated after f[256] returns.

evanw commented

Thanks for the report. I can reproduce the issue. I guess this means that this concern can be hit in practice. I'll think about what to do here.

evanw commented

I was able to fix this by preventing the inlining of all child expressions into load and store and memory_copy and memory_fill opcodes. I avoided the performance hit by making an exception for const and local_get opcodes, which can't contain a memory_grow opcode.