[wasm] Exploit unallocated zero page to remove null checks in jiterpreter

[kg]

The zero page is unallocated, which means that reading the string/array length fields of a null pointer will return a length of 0. The bounds check for getchr and getelema1 will thus fail, causing us to bail out as if we had done a null check. This lets us remove a compare and a branch in all cases.

Also skip emitting a const+add pair in a few places where we add offsets to pointers if we know the offset is 0, since it'll make traces slightly smaller.

[ghost]

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The zero page is unallocated, which means that reading the string/array length fields of a null pointer will return a length of 0. The bounds check for getchr and getelema1 will thus fail, causing us to bail out as if we had done a null check. This lets us remove a compare and a branch in all cases.

Also skip emitting a const+add pair in a few places where we add offsets to pointers if we know the offset is 0, since it'll make traces slightly smaller.

Author:	kg
Assignees:	-
Labels:	arch-wasm, area-Codegen-Jiterpreter-mono
Milestone:	-

[vargaz]

Shouldn't reading a null ref throw a different exception ?

[kg]

Shouldn't reading a null ref throw a different exception ?

On failure, we will bail out to the interpreter, and it will retry the opcode and do a null check.

I think we could apply this same optimization to AOT - if the bounds check fails, then null-check the array reference and throw the correct exception.

[kg]

Since there's a risk this might cause obscure issues I think I'll merge it after we branch this preview. Based on emscripten-core/emscripten#19389 as long as we don't change our emscripten config, it should be safe in Release runtime builds but not in Debug ones.

[lambdageek]

Since there's a risk this might cause obscure issues I think I'll merge it after we branch this preview. Based on emscripten-core/emscripten#19389 as long as we don't change our emscripten config, it should be safe in Release runtime builds but not in Debug ones.

I'm a little bit concerned that release and debug builds will have different null-checking behavior.

Also users who set -p:WasmBuildNative=true and do Debug/Release builds of their app will have different null checking behavior too, right?

If we always set -sGLOBAL_BASE as suggested in the upstream issues, what would we be giving up? Have we discovered stack overflow bugs due to the wasm runtime trapping?

[kg]

mono_wasm_is_zero_page_reserved should do the trick I think.

[lewing]

is this still no-merge?

[kg]

is this still no-merge?

I don't want to add it to p5, I think it's risky.

[kg]

While looking into one of Jerome's bug reports, I noticed that there was garbage data at offset 0 in the heap that shouldn't be there. Not sure how that scenario came to be, will try to understand whether something about this optimization is unsafe for a new or different reason.

[kg]

While looking into one of Jerome's bug reports, I noticed that there was garbage data at offset 0 in the heap that shouldn't be there. Not sure how that scenario came to be, will try to understand whether something about this optimization is unsafe for a new or different reason.

Reproduced this in another build, and thankfully emscripten_stack_get_end() reports 0 in this case so there being random data at the start of memory wouldn't be a problem, this optimization would be disabled.