From 438b85d8cdb21882bba3e66b6dd0146faad16b6c Mon Sep 17 00:00:00 2001 From: Ryan Hunt Date: Thu, 21 Nov 2019 09:53:07 -0600 Subject: [PATCH] [test] Update generated tests for OOBs and dropping changes --- test/core/memory_copy.wast | 10 +++++++-- test/core/memory_fill.wast | 2 +- test/core/memory_init.wast | 17 ++++++++++----- test/core/table_copy.wast | 28 +++++++++++++++++++++++-- test/core/table_init.wast | 35 +++++++++++++++++++++++++------ test/meta/generate_memory_copy.js | 17 +++++++++++---- test/meta/generate_memory_fill.js | 6 +++--- test/meta/generate_memory_init.js | 24 ++++++++++++++------- test/meta/generate_table_copy.js | 13 ++++++++---- test/meta/generate_table_init.js | 30 +++++++++++++------------- 10 files changed, 134 insertions(+), 48 deletions(-) diff --git a/test/core/memory_copy.wast b/test/core/memory_copy.wast index cb46144d..692e1ad8 100644 --- a/test/core/memory_copy.wast +++ b/test/core/memory_copy.wast @@ -4869,7 +4869,7 @@ (memory 1 1) (func (export "test") (memory.copy (i32.const 0x20000) (i32.const 0x7000) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (memory 1 1) @@ -4881,7 +4881,7 @@ (memory 1 1) (func (export "test") (memory.copy (i32.const 0x9000) (i32.const 0x20000) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (memory 1 1) @@ -4889,6 +4889,12 @@ (memory.copy (i32.const 0x10000) (i32.const 0x10000) (i32.const 0)))) (invoke "test") +(module + (memory 1 1) + (func (export "test") + (memory.copy (i32.const 0x20000) (i32.const 0x20000) (i32.const 0)))) +(assert_trap (invoke "test") "out of bounds") + (module (memory 1 1) (func (export "test") diff --git a/test/core/memory_fill.wast b/test/core/memory_fill.wast index bbce9d8e..caca80b5 100644 --- a/test/core/memory_fill.wast +++ b/test/core/memory_fill.wast @@ -114,7 +114,7 @@ (func (export "test") (memory.fill (i32.const 0x20000) (i32.const 0x55) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (memory 1 1) diff --git a/test/core/memory_init.wast b/test/core/memory_init.wast index 670bddc2..c647079d 100644 --- a/test/core/memory_init.wast +++ b/test/core/memory_init.wast @@ -205,7 +205,7 @@ (func (export "test") (data.drop 0) (data.drop 0))) -(assert_trap (invoke "test") "data segment dropped") +(invoke "test") (module (memory 1) @@ -213,14 +213,14 @@ (func (export "test") (data.drop 0) (memory.init 0 (i32.const 1234) (i32.const 1) (i32.const 1)))) -(assert_trap (invoke "test") "data segment dropped") +(assert_trap (invoke "test") "out of bounds") (module (memory 1) (data (i32.const 0) "\37") (func (export "test") (memory.init 0 (i32.const 1234) (i32.const 1) (i32.const 1)))) -(assert_trap (invoke "test") "data segment dropped") +(assert_trap (invoke "test") "out of bounds") (assert_invalid (module @@ -270,7 +270,7 @@ (data "\37") (func (export "test") (memory.init 0 (i32.const 1234) (i32.const 4) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (memory 1) @@ -284,7 +284,7 @@ (data "\37") (func (export "test") (memory.init 0 (i32.const 0x10001) (i32.const 0) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (memory 1) @@ -300,6 +300,13 @@ (memory.init 0 (i32.const 0x10000) (i32.const 1) (i32.const 0)))) (invoke "test") +(module + (memory 1) + (data "\37") + (func (export "test") + (memory.init 0 (i32.const 0x10001) (i32.const 4) (i32.const 0)))) +(assert_trap (invoke "test") "out of bounds") + (assert_invalid (module (memory 1) diff --git a/test/core/table_copy.wast b/test/core/table_copy.wast index 20949b30..d0aa77b2 100644 --- a/test/core/table_copy.wast +++ b/test/core/table_copy.wast @@ -633,7 +633,7 @@ (table.copy (i32.const 31) (i32.const 15) (i32.const 0)) )) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (table 30 30 funcref) @@ -681,7 +681,7 @@ (table.copy (i32.const 15) (i32.const 31) (i32.const 0)) )) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (table 30 30 funcref) @@ -707,6 +707,30 @@ (invoke "test") +(module + (table 30 30 funcref) + (elem (i32.const 2) 3 1 4 1) + (elem funcref + (ref.func 2) (ref.func 7) (ref.func 1) (ref.func 8)) + (elem (i32.const 12) 7 5 2 3 6) + (elem funcref + (ref.func 5) (ref.func 9) (ref.func 2) (ref.func 7) (ref.func 6)) + (func (result i32) (i32.const 0)) + (func (result i32) (i32.const 1)) + (func (result i32) (i32.const 2)) + (func (result i32) (i32.const 3)) + (func (result i32) (i32.const 4)) + (func (result i32) (i32.const 5)) + (func (result i32) (i32.const 6)) + (func (result i32) (i32.const 7)) + (func (result i32) (i32.const 8)) + (func (result i32) (i32.const 9)) + (func (export "test") + (table.copy (i32.const 31) (i32.const 31) (i32.const 0)) + )) + +(assert_trap (invoke "test") "out of bounds") + (module (type (func (result i32))) (table 32 64 funcref) diff --git a/test/core/table_init.wast b/test/core/table_init.wast index 658deb68..80eaf065 100644 --- a/test/core/table_init.wast +++ b/test/core/table_init.wast @@ -239,7 +239,7 @@ (func (export "test") (elem.drop 2) )) -(assert_trap (invoke "test") "element segment dropped") +(invoke "test") (module (table 30 30 funcref) @@ -262,7 +262,7 @@ (func (export "test") (table.init 2 (i32.const 12) (i32.const 1) (i32.const 1)) )) -(assert_trap (invoke "test") "element segment dropped") +(assert_trap (invoke "test") "out of bounds") (module (table 30 30 funcref) @@ -308,7 +308,7 @@ (func (export "test") (elem.drop 1) (elem.drop 1))) -(assert_trap (invoke "test") "element segment dropped") +(invoke "test") (module (table 30 30 funcref) @@ -331,7 +331,7 @@ (func (export "test") (elem.drop 1) (table.init 1 (i32.const 12) (i32.const 1) (i32.const 1)))) -(assert_trap (invoke "test") "element segment dropped") +(assert_trap (invoke "test") "out of bounds") (module (table 30 30 funcref) @@ -446,7 +446,7 @@ (func (export "test") (table.init 1 (i32.const 12) (i32.const 5) (i32.const 0)) )) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (table 30 30 funcref) @@ -492,7 +492,7 @@ (func (export "test") (table.init 1 (i32.const 31) (i32.const 2) (i32.const 0)) )) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") (module (table 30 30 funcref) @@ -517,6 +517,29 @@ )) (invoke "test") +(module + (table 30 30 funcref) + (elem (i32.const 2) 3 1 4 1) + (elem funcref + (ref.func 2) (ref.func 7) (ref.func 1) (ref.func 8)) + (elem (i32.const 12) 7 5 2 3 6) + (elem funcref + (ref.func 5) (ref.func 9) (ref.func 2) (ref.func 7) (ref.func 6)) + (func (result i32) (i32.const 0)) + (func (result i32) (i32.const 1)) + (func (result i32) (i32.const 2)) + (func (result i32) (i32.const 3)) + (func (result i32) (i32.const 4)) + (func (result i32) (i32.const 5)) + (func (result i32) (i32.const 6)) + (func (result i32) (i32.const 7)) + (func (result i32) (i32.const 8)) + (func (result i32) (i32.const 9)) + (func (export "test") + (table.init 1 (i32.const 31) (i32.const 5) (i32.const 0)) + )) +(assert_trap (invoke "test") "out of bounds") + (assert_invalid (module (table 10 funcref) diff --git a/test/meta/generate_memory_copy.js b/test/meta/generate_memory_copy.js index 687ce6c7..e5b7c0c9 100644 --- a/test/meta/generate_memory_copy.js +++ b/test/meta/generate_memory_copy.js @@ -280,13 +280,13 @@ print( (invoke "test") `); -// Zero len with dest offset out-of-bounds past the end of memory is allowed +// Zero len with dest offset out-of-bounds past the end of memory is not allowed print( `(module (memory 1 1) (func (export "test") (memory.copy (i32.const 0x20000) (i32.const 0x7000) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") `); // Zero len with src offset out-of-bounds at the end of memory is allowed @@ -298,13 +298,13 @@ print( (invoke "test") `); -// Zero len with src offset out-of-bounds past the end of memory is allowed +// Zero len with src offset out-of-bounds past the end of memory is not allowed print( `(module (memory 1 1) (func (export "test") (memory.copy (i32.const 0x9000) (i32.const 0x20000) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") `); // Zero len with both dest and src offsets out-of-bounds at the end of memory is allowed @@ -316,6 +316,15 @@ print( (invoke "test") `); +// Zero len with both dest and src offsets out-of-bounds past the end of memory is not allowed +print( +`(module + (memory 1 1) + (func (export "test") + (memory.copy (i32.const 0x20000) (i32.const 0x20000) (i32.const 0)))) +(assert_trap (invoke "test") "out of bounds") +`); + // 100 random fills followed by 100 random copies, in a single-page buffer, // followed by verification of the (now heavily mashed-around) buffer. print( diff --git a/test/meta/generate_memory_fill.js b/test/meta/generate_memory_fill.js index cb048f6a..0dba569e 100644 --- a/test/meta/generate_memory_fill.js +++ b/test/meta/generate_memory_fill.js @@ -56,13 +56,13 @@ print( (invoke "test") `); -// Zero len with offset out-of-bounds past the end of memory is allowed +// Zero len with offset out-of-bounds past the end of memory is not allowed print( `(module ${PREAMBLE} (func (export "test") (memory.fill (i32.const 0x20000) (i32.const 0x55) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") `); // Very large range @@ -136,7 +136,7 @@ function mem_fill(min, max, shared, backup, write=backup*2) { (func (export "run") (param $offs i32) (param $val i32) (param $len i32) (memory.fill (local.get $offs) (local.get $val) (local.get $len)))) `); - // A fill past the end should throw *and* have filled all the way up to the end + // A fill past the end should throw *and* not have performed a partial fill let offs = min*PAGESIZE - backup; let val = 37; print( diff --git a/test/meta/generate_memory_init.js b/test/meta/generate_memory_init.js index eccbabfe..0b5d7f65 100644 --- a/test/meta/generate_memory_init.js +++ b/test/meta/generate_memory_init.js @@ -85,7 +85,7 @@ print( (func (export "test") (data.drop 0) (data.drop 0))) -(assert_trap (invoke "test") "data segment dropped") +(invoke "test") `); // drop, then init @@ -95,7 +95,7 @@ print( (func (export "test") (data.drop 0) (memory.init 0 (i32.const 1234) (i32.const 1) (i32.const 1)))) -(assert_trap (invoke "test") "data segment dropped") +(assert_trap (invoke "test") "out of bounds") `); // init with data seg ix indicating an active segment @@ -105,7 +105,7 @@ print( (data (i32.const 0) "\\37") (func (export "test") (memory.init 0 (i32.const 1234) (i32.const 1) (i32.const 1)))) -(assert_trap (invoke "test") "data segment dropped") +(assert_trap (invoke "test") "out of bounds") `); // init with no memory @@ -164,13 +164,13 @@ print( (assert_trap (invoke "test") "out of bounds") `); -// init: seg ix is valid passive, src offset past the end, zero len is always valid +// init: seg ix is valid passive, src offset past the end, zero len is invalid print( `(module ${PREAMBLE} (func (export "test") (memory.init 0 (i32.const 1234) (i32.const 4) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") `); // init: seg ix is valid passive, zero len, src offset at the end @@ -182,13 +182,13 @@ print( (invoke "test") `); -// init: seg ix is valid passive, dst offset past the end, zero len is always valid +// init: seg ix is valid passive, dst offset past the end, zero len is invalid print( `(module ${PREAMBLE} (func (export "test") (memory.init 0 (i32.const 0x10001) (i32.const 0) (i32.const 0)))) -(invoke "test") +(assert_trap (invoke "test") "out of bounds") `); // init: seg ix is valid passive, zero len, but dst offset at the end @@ -209,6 +209,16 @@ print( (invoke "test") `); +// init: seg ix is valid passive, src and dst offset past the end, zero len is +// invalid +print( +`(module + ${PREAMBLE} + (func (export "test") + (memory.init 0 (i32.const 0x10001) (i32.const 4) (i32.const 0)))) +(assert_trap (invoke "test") "out of bounds") +`); + // invalid argument types. TODO: can add anyfunc etc here. { const tys = ['i32', 'f32', 'i64', 'f64']; diff --git a/test/meta/generate_table_copy.js b/test/meta/generate_table_copy.js index d399fdc4..86718944 100644 --- a/test/meta/generate_table_copy.js +++ b/test/meta/generate_table_copy.js @@ -189,26 +189,31 @@ tab_test2("(table.copy (i32.const 30) (i32.const 15) (i32.const 0))", "", undefined); -// copy: zero length with dst offset out of bounds past the end of the table is allowed +// copy: zero length with dst offset out of bounds past the end of the table is not allowed tab_test2("(table.copy (i32.const 31) (i32.const 15) (i32.const 0))", "", - undefined); + "out of bounds"); // copy: zero length with src offset out of bounds at the end of the table is allowed tab_test2("(table.copy (i32.const 15) (i32.const 30) (i32.const 0))", "", undefined); -// copy: zero length with src offset out of bounds past the end of the table is allowed +// copy: zero length with src offset out of bounds past the end of the table is not allowed tab_test2("(table.copy (i32.const 15) (i32.const 31) (i32.const 0))", "", - undefined); + "out of bounds"); // copy: zero length with both dst and src offset out of bounds at the end of the table is allowed tab_test2("(table.copy (i32.const 30) (i32.const 30) (i32.const 0))", "", undefined); +// copy: zero length with both dst and src offset out of bounds past the end of the table is not allowed +tab_test2("(table.copy (i32.const 31) (i32.const 31) (i32.const 0))", + "", + "out of bounds"); + // table.copy: out of bounds of the table for the source or target, but should // perform the operation up to the appropriate bound. Major cases: // diff --git a/test/meta/generate_table_init.js b/test/meta/generate_table_init.js index bc594090..9329d937 100644 --- a/test/meta/generate_table_init.js +++ b/test/meta/generate_table_init.js @@ -181,32 +181,29 @@ function tab_test2(insn1, insn2, errText) { do_test(insn1, insn2, errText); } -function tab_test_nofail(insn1, insn2) { - do_test(insn1, insn2, undefined); -} - // drop with elem seg ix indicating an active segment tab_test1("(elem.drop 2)", - "element segment dropped"); + undefined); // init with elem seg ix indicating an active segment tab_test1("(table.init 2 (i32.const 12) (i32.const 1) (i32.const 1))", - "element segment dropped"); + "out of bounds"); // init, using an elem seg ix more than once is OK -tab_test_nofail( +tab_test2( "(table.init 1 (i32.const 12) (i32.const 1) (i32.const 1))", - "(table.init 1 (i32.const 21) (i32.const 1) (i32.const 1))"); + "(table.init 1 (i32.const 21) (i32.const 1) (i32.const 1))", + undefined); // drop, then drop tab_test2("(elem.drop 1)", "(elem.drop 1)", - "element segment dropped"); + undefined); // drop, then init tab_test2("(elem.drop 1)", "(table.init 1 (i32.const 12) (i32.const 1) (i32.const 1))", - "element segment dropped"); + "out of bounds"); // init: seg ix is valid passive, but length to copy > len of seg tab_test1("(table.init 1 (i32.const 12) (i32.const 0) (i32.const 5))", @@ -226,9 +223,9 @@ tab_test1("(table.init 1 (i32.const 12) (i32.const 4) (i32.const 0))", undefined); // init: seg ix is valid passive, zero len, and src offset out of bounds past the -// end of the table - this is allowed +// end of the table - this is not allowed tab_test1("(table.init 1 (i32.const 12) (i32.const 5) (i32.const 0))", - undefined); + "out of bounds"); // init: seg ix is valid passive, zero len, and dst offset out of bounds at the // end of the table - this is allowed @@ -236,15 +233,20 @@ tab_test1("(table.init 1 (i32.const 30) (i32.const 2) (i32.const 0))", undefined); // init: seg ix is valid passive, zero len, and dst offset out of bounds past the -// end of the table - this is allowed +// end of the table - this is not allowed tab_test1("(table.init 1 (i32.const 31) (i32.const 2) (i32.const 0))", - undefined); + "out of bounds"); // init: seg ix is valid passive, zero len, and dst and src offsets out of bounds // at the end of the table - this is allowed tab_test1("(table.init 1 (i32.const 30) (i32.const 4) (i32.const 0))", undefined); +// init: seg ix is valid passive, zero len, and src/dst offset out of bounds past the +// end of the table - this is not allowed +tab_test1("(table.init 1 (i32.const 31) (i32.const 5) (i32.const 0))", + "out of bounds"); + // invalid argument types { const tys = ['i32', 'f32', 'i64', 'f64'];