wasm2c: Mmap+guard on big-endian won't move memory (fix #2599)

shravanrn · shravanrn · commit f9763803413e · 2025-06-12T10:44:49.000-05:00
diff --git a/src/prebuilt/wasm2c_source_declarations.cc b/src/prebuilt/wasm2c_source_declarations.cc
@@ -31,11 +31,11 @@ R"w2c_template(// A pointer for an object of size n.
 )w2c_template"
 R"w2c_template(#if WABT_BIG_ENDIAN
 )w2c_template"
-R"w2c_template(#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+R"w2c_template(#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 )w2c_template"
 R"w2c_template(#else
 )w2c_template"
-R"w2c_template(#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+R"w2c_template(#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 )w2c_template"
 R"w2c_template(#endif
 )w2c_template"
@@ -194,7 +194,7 @@ R"w2c_template(    if (UNLIKELY(add_overflow(offset, len, &res))) \
 )w2c_template"
 R"w2c_template(      TRAP(OOB);                                   \
 )w2c_template"
-R"w2c_template(    if (UNLIKELY(res > mem->size))                 \
+R"w2c_template(    if (UNLIKELY(res > (mem)->size))               \
 )w2c_template"
 R"w2c_template(      TRAP(OOB);                                   \
 )w2c_template"
diff --git a/src/template/wasm2c.declarations.c b/src/template/wasm2c.declarations.c
@@ -15,9 +15,9 @@
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -104,7 +104,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/test/wasm2c/add.txt b/test/wasm2c/add.txt
@@ -82,9 +82,9 @@ u32 w2c_test_add(w2c_test*, u32, u32);
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -171,7 +171,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/test/wasm2c/check-imports.txt b/test/wasm2c/check-imports.txt
@@ -107,9 +107,9 @@ extern const u32 wasm2c_test_pagesize_env_0x5F_linear_memory;
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -196,7 +196,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/test/wasm2c/export-names.txt b/test/wasm2c/export-names.txt
@@ -107,9 +107,9 @@ void w2c_test_0xE20x9D0xA40xEF0xB80x8F(w2c_test*);
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -196,7 +196,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/test/wasm2c/hello.txt b/test/wasm2c/hello.txt
@@ -114,9 +114,9 @@ void w2c_test_0x5Fstart(w2c_test*);
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -203,7 +203,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/test/wasm2c/minimal.txt b/test/wasm2c/minimal.txt
@@ -76,9 +76,9 @@ wasm_rt_func_type_t wasm2c_test_get_func_type(uint32_t param_count, uint32_t res
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -165,7 +165,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/test/wasm2c/tail-calls.txt b/test/wasm2c/tail-calls.txt
@@ -106,9 +106,9 @@ void wasm_tailcall_w2c_test_tailcaller(void **instance_ptr, void *tail_call_stac
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -195,7 +195,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/wasm2c/benchmarks/dhrystone/main.c b/wasm2c/benchmarks/dhrystone/main.c
@@ -18,9 +18,9 @@ typedef uint32_t u32;
 typedef uint64_t u64;
 
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 #define MEM_ADDR_MEMOP(mem, addr, n) MEM_ADDR(mem, addr, n)
diff --git a/wasm2c/examples/fac/fac.c b/wasm2c/examples/fac/fac.c
@@ -34,9 +34,9 @@
 // Result:
 // A pointer for an object of size n.
 #if WABT_BIG_ENDIAN
-#define MEM_ADDR(mem, addr, n) &(mem)->data[(mem)->size - (addr) - (n)]
+#define MEM_ADDR(mem, addr, n) ((mem)->data_end - (addr) - (n))
 #else
-#define MEM_ADDR(mem, addr, n) &(mem)->data[addr]
+#define MEM_ADDR(mem, addr, n) &((mem)->data[addr])
 #endif
 
 // We can only use Segue for this module if it uses a single unshared imported
@@ -123,7 +123,7 @@ static inline bool add_overflow(uint64_t a, uint64_t b, uint64_t* resptr) {
     uint64_t res;                                  \
     if (UNLIKELY(add_overflow(offset, len, &res))) \
       TRAP(OOB);                                   \
-    if (UNLIKELY(res > mem->size))                 \
+    if (UNLIKELY(res > (mem)->size))               \
       TRAP(OOB);                                   \
   } while (0);
 
diff --git a/wasm2c/wasm-rt-mem-impl-helper.inc b/wasm2c/wasm-rt-mem-impl-helper.inc
@@ -76,26 +76,65 @@ void MEMORY_API_NAME(wasm_rt_allocate_memory)(MEMORY_TYPE* memory,
   memory->page_size = page_size;
   MEMORY_LOCK_VAR_INIT(memory->mem_lock);
 
-  if (WASM_RT_USE_MMAP &&
-      MEMORY_API_NAME(wasm_rt_memory_is_default32)(memory)) {
-#if WASM_RT_USE_MMAP  // mmap-related functions don't exist unless this is set
+#if WASM_RT_USE_MMAP
+  if (MEMORY_API_NAME(wasm_rt_memory_is_default32)(memory)) {
     const uint64_t mmap_size =
         get_alloc_size_for_mmap_default32(memory->max_pages);
-    void* addr = os_mmap(mmap_size);
+    uint8_t* addr = os_mmap(mmap_size);
     if (!addr) {
       os_print_last_error("os_mmap failed.");
       abort();
     }
+    uint8_t* data_end = addr + mmap_size;
+#if !WABT_BIG_ENDIAN
     int ret = os_mprotect(addr, byte_length);
+#else
+    int ret = os_mprotect(data_end - byte_length, byte_length);
+#endif
     if (ret != 0) {
       os_print_last_error("os_mprotect failed.");
       abort();
     }
-    memory->data = addr;
+    memory->data = (MEMORY_CELL_TYPE)addr;
+    memory->data_end = (MEMORY_CELL_TYPE)data_end;
+    return;
+  }
+#endif
+
+  memory->data = (MEMORY_CELL_TYPE)calloc(byte_length, 1);
+  memory->data_end = memory->data + byte_length;
+}
+
+// Returns 0 on success
+static int MEMORY_API_NAME(expand_data_allocation)(MEMORY_TYPE* memory,
+                                                   uint64_t old_size,
+                                                   uint64_t new_size,
+                                                   uint64_t delta_size) {
+#if WASM_RT_USE_MMAP
+  if (MEMORY_API_NAME(wasm_rt_memory_is_default32)(memory)) {
+#if !WABT_BIG_ENDIAN
+    return os_mprotect((void*)(memory->data + old_size), delta_size);
+#else
+    return os_mprotect((void*)(memory->data_end - old_size - delta_size),
+                       delta_size);
 #endif
-  } else {
-    memory->data = calloc(byte_length, 1);
   }
+#endif
+
+  uint8_t* new_data = realloc((void*)memory->data, new_size);
+  if (new_data == NULL) {
+    return -1;
+  }
+#if !WABT_BIG_ENDIAN
+  memset((void*)(new_data + old_size), 0, delta_size);
+#else
+  memmove((void*)(new_data + new_size - old_size), (void*)new_data, old_size);
+  memset((void*)new_data, 0, delta_size);
+#endif
+
+  memory->data = (MEMORY_CELL_TYPE)new_data;
+  memory->data_end = memory->data + new_size;
+  return 0;
 }
 
 static uint64_t MEMORY_API_NAME(grow_memory_impl)(MEMORY_TYPE* memory,
@@ -111,32 +150,15 @@ static uint64_t MEMORY_API_NAME(grow_memory_impl)(MEMORY_TYPE* memory,
   uint64_t old_size = old_pages * memory->page_size;
   uint64_t new_size = new_pages * memory->page_size;
   uint64_t delta_size = delta * memory->page_size;
-  MEMORY_CELL_TYPE new_data;
-  if (WASM_RT_USE_MMAP &&
-      MEMORY_API_NAME(wasm_rt_memory_is_default32)(memory)) {
-#if WASM_RT_USE_MMAP
-    new_data = memory->data;
-    int ret = os_mprotect((void*)(new_data + old_size), delta_size);
-    if (ret != 0) {
-      return (uint64_t)-1;
-    }
-#endif
-  } else {
-    new_data = realloc((void*)memory->data, new_size);
-    if (new_data == NULL) {
-      return (uint64_t)-1;
-    }
-#if !WABT_BIG_ENDIAN
-    memset((void*)(new_data + old_size), 0, delta_size);
-#endif
+
+  int err = MEMORY_API_NAME(expand_data_allocation)(memory, old_size, new_size,
+                                                    delta_size);
+  if (err != 0) {
+    return (uint64_t)-1;
   }
-#if WABT_BIG_ENDIAN
-  memmove((void*)(new_data + new_size - old_size), (void*)new_data, old_size);
-  memset((void*)new_data, 0, delta_size);
-#endif
+
   memory->pages = new_pages;
   memory->size = new_size;
-  memory->data = new_data;
   return old_pages;
 }
 
@@ -154,16 +176,15 @@ uint64_t MEMORY_API_NAME(wasm_rt_grow_memory)(MEMORY_TYPE* memory,
 }
 
 void MEMORY_API_NAME(wasm_rt_free_memory)(MEMORY_TYPE* memory) {
-  if (WASM_RT_USE_MMAP &&
-      MEMORY_API_NAME(wasm_rt_memory_is_default32)(memory)) {
 #if WASM_RT_USE_MMAP
+  if (MEMORY_API_NAME(wasm_rt_memory_is_default32)(memory)) {
     const uint64_t mmap_size =
         get_alloc_size_for_mmap_default32(memory->max_pages);
     os_munmap((void*)memory->data, mmap_size);  // ignore error
-#endif
-  } else {
-    free((void*)memory->data);
+    return;
   }
+#endif
+  free((void*)memory->data);
 }
 
 #undef MEMORY_LOCK_RELEASE
diff --git a/wasm2c/wasm-rt.h b/wasm2c/wasm-rt.h
@@ -140,7 +140,7 @@ extern "C" {
  *
  * BOUNDS_CHECK: memory accesses are checked with explicit bounds checks.
  *
- * This defaults to GUARD_PAGES as this is the fasest option, iff the
+ * This defaults to GUARD_PAGES as this is the fastest option, iff the
  * requirements of GUARD_PAGES --- 64-bit platforms, MMAP allocation strategy,
  * no 64-bit memories, no big-endian --- are met. This falls back to BOUNDS
  * otherwise.
@@ -266,13 +266,15 @@ extern "C" {
 /**
  * We need to detect and trap stack overflows. If we use a signal handler on
  * POSIX systems, this can detect call stack overflows. On windows, or platforms
- * without a signal handler, we use stack depth counting.
+ * without a signal handler, we use stack depth counting. The s390x big endian
+ * platform additionally seems to have issues with stack guard pages, so we play
+ * it safe and use stack counting on big endian platforms.
  */
 #if !defined(WASM_RT_STACK_DEPTH_COUNT) &&        \
     !defined(WASM_RT_STACK_EXHAUSTION_HANDLER) && \
     !WASM_RT_NONCONFORMING_UNCHECKED_STACK_EXHAUSTION
 
-#if WASM_RT_INSTALL_SIGNAL_HANDLER && !defined(_WIN32)
+#if WASM_RT_INSTALL_SIGNAL_HANDLER && !defined(_WIN32) && !WABT_BIG_ENDIAN
 #define WASM_RT_STACK_EXHAUSTION_HANDLER 1
 #else
 #define WASM_RT_STACK_DEPTH_COUNT 1
@@ -465,6 +467,8 @@ typedef void* wasm_rt_externref_t;
 typedef struct {
   /** The linear memory data, with a byte length of `size`. */
   uint8_t* data;
+  /** The location after the the reserved space for the linear memory data. */
+  uint8_t* data_end;
   /** The page size for this Memory object
       (always 64 KiB without the custom-page-sizes feature) */
   uint32_t page_size;
@@ -493,6 +497,9 @@ typedef struct {
    * volatile.
    */
   _Atomic volatile uint8_t* data;
+  /** The location one byte after the reserved space for the linear memory data.
+   * This includes any reserved pages that are not yet allocated. */
+  _Atomic volatile uint8_t* data_end;
   /** The page size for this Memory object
       (always 64 KiB without the custom-page-sizes feature) */
   uint32_t page_size;
