[interp] Don't trap on zero-bytes out-of-bounds (WebAssembly#102)

binji · web-flow · commit d18ec64a8abc · 2019-06-28T15:15:47.000-07:00
diff --git a/interpreter/runtime/memory.ml b/interpreter/runtime/memory.ml
@@ -145,11 +145,6 @@ let store_packed sz mem a o v =
     | _ -> raise Type
   in storen mem a o n x
 
-let check_str_bounds bs a =
-  if I64.gt_u a (Int64.of_int (String.length bs)) then raise Bounds
-
-let check_bounds mem a = if I64.gt_u a (bound mem) then raise Bounds
-
 let init mem bs d s n =
   let load_str_byte a =
     try Char.code bs.[Int64.to_int a]
@@ -159,10 +154,7 @@ let init mem bs d s n =
       store_byte mem d (load_str_byte s);
       loop (Int64.add d 1L) (Int64.add s 1L) (Int32.sub n 1l)
     end
-  in loop d s n;
-  let n' = I64_convert.extend_i32_u n in
-  check_bounds mem (Int64.add d n');
-  check_str_bounds bs (Int64.add s n')
+  in loop d s n
 
 let copy mem d s n =
   let n' = I64_convert.extend_i32_u n in
@@ -175,15 +167,12 @@ let copy mem d s n =
   in (if overlap && s < d then
     loop Int64.(add d (sub n' 1L)) Int64.(add s (sub n' 1L)) n (-1L)
   else
-    loop d s n 1L);
-  check_bounds mem (Int64.add d n');
-  check_bounds mem (Int64.add s n')
+    loop d s n 1L)
 
 let fill mem a v n =
   let rec loop a n =
     if I32.gt_u n 0l then begin
       store_byte mem a v;
       loop (Int64.add a 1L) (Int32.sub n 1l)
     end
-  in loop a n;
-  check_bounds mem (Int64.add a (I64_convert.extend_i32_u n))
+  in loop a n
diff --git a/interpreter/runtime/table.ml b/interpreter/runtime/table.ml
@@ -49,19 +49,16 @@ let load tab i =
 let store tab i v =
   try Lib.Array32.set tab.content i v with Invalid_argument _ -> raise Bounds
 
-let check_bounds tab i = if I32.gt_u i (size tab) then raise Bounds
-
 let init tab es d s n =
   let rec loop es d s n =
     match s, n, es with
-    | 0l, 0l, _ -> ()
+    | s, 0l, _ -> ()
     | 0l, n, e::es' ->
       store tab d e;
       loop es' (Int32.add d 1l) 0l (Int32.sub n 1l)
     | s, n, _::es' -> loop es' d (Int32.sub s 1l) n
     | _ -> raise Bounds
-  in loop es d s n;
-  check_bounds tab (Int32.add d n)
+  in loop es d s n
 
 let copy tab d s n =
   let overlap = I32.lt_u Int32.(abs (sub d s)) n in
@@ -73,6 +70,4 @@ let copy tab d s n =
   in (if overlap && s < d then
     loop Int32.(add d (sub n 1l)) Int32.(add s (sub n 1l)) n (-1l)
   else
-    loop d s n 1l);
-  check_bounds tab (Int32.add d n);
-  check_bounds tab (Int32.add s n)
+    loop d s n 1l)
diff --git a/test/core/bulk.wast b/test/core/bulk.wast
@@ -48,9 +48,8 @@
 ;; Succeed when writing 0 bytes at the end of the region.
 (invoke "fill" (i32.const 0x10000) (i32.const 0) (i32.const 0))
 
-;; Fail on out-of-bounds when writing 0 bytes outside of memory.
-(assert_trap (invoke "fill" (i32.const 0x10001) (i32.const 0) (i32.const 0))
-    "out of bounds memory access")
+;; OK to write 0 bytes outside of memory.
+(invoke "fill" (i32.const 0x10001) (i32.const 0) (i32.const 0))
 
 
 ;; memory.copy
@@ -110,11 +109,9 @@
 (invoke "copy" (i32.const 0x10000) (i32.const 0) (i32.const 0))
 (invoke "copy" (i32.const 0) (i32.const 0x10000) (i32.const 0))
 
-;; Fail on out-of-bounds when copying 0 bytes outside of memory.
-(assert_trap (invoke "copy" (i32.const 0x10001) (i32.const 0) (i32.const 0))
-    "out of bounds memory access")
-(assert_trap (invoke "copy" (i32.const 0) (i32.const 0x10001) (i32.const 0))
-    "out of bounds memory access")
+;; OK to copy 0 bytes outside of memory.
+(invoke "copy" (i32.const 0x10001) (i32.const 0) (i32.const 0))
+(invoke "copy" (i32.const 0) (i32.const 0x10001) (i32.const 0))
 
 
 ;; memory.init
@@ -150,11 +147,9 @@
 (invoke "init" (i32.const 0x10000) (i32.const 0) (i32.const 0))
 (invoke "init" (i32.const 0) (i32.const 4) (i32.const 0))
 
-;; Fail on out-of-bounds when writing 0 bytes outside of memory or segment.
-(assert_trap (invoke "init" (i32.const 0x10001) (i32.const 0) (i32.const 0))
-    "out of bounds memory access")
-(assert_trap (invoke "init" (i32.const 0) (i32.const 5) (i32.const 0))
-    "out of bounds memory access")
+;; OK to write 0 bytes outside of memory or segment.
+(invoke "init" (i32.const 0x10001) (i32.const 0) (i32.const 0))
+(invoke "init" (i32.const 0) (i32.const 5) (i32.const 0))
 
 ;; data.drop
 (module
@@ -216,11 +211,9 @@
 (invoke "init" (i32.const 3) (i32.const 0) (i32.const 0))
 (invoke "init" (i32.const 0) (i32.const 4) (i32.const 0))
 
-;; Fail on out-of-bounds when storing 0 elements outside of table or segment.
-(assert_trap (invoke "init" (i32.const 4) (i32.const 0) (i32.const 0))
-    "out of bounds table access")
-(assert_trap (invoke "init" (i32.const 0) (i32.const 5) (i32.const 0))
-    "out of bounds table access")
+;; OK to storing 0 elements outside of table or segment.
+(invoke "init" (i32.const 4) (i32.const 0) (i32.const 0))
+(invoke "init" (i32.const 0) (i32.const 5) (i32.const 0))
 
 
 ;; elem.drop
@@ -302,7 +295,5 @@
 (invoke "copy" (i32.const 0) (i32.const 10) (i32.const 0))
 
 ;; Fail on out-of-bounds when copying 0 elements outside of table.
-(assert_trap (invoke "copy" (i32.const 11) (i32.const 0) (i32.const 0))
-    "out of bounds table access")
-(assert_trap (invoke "copy" (i32.const 0) (i32.const 11) (i32.const 0))
-    "out of bounds table access")
+(invoke "copy" (i32.const 11) (i32.const 0) (i32.const 0))
+(invoke "copy" (i32.const 0) (i32.const 11) (i32.const 0))
diff --git a/test/core/data.wast b/test/core/data.wast
@@ -182,20 +182,15 @@
   "data segment does not fit"
 )
 
-(assert_unlinkable
-  (module
-    (memory 0)
-    (data (i32.const 1))
-  )
-  "data segment does not fit"
+;; Writing 0 bytes outside of bounds is allowed now.
+(module
+  (memory 0)
+  (data (i32.const 1))
 )
 
-(assert_unlinkable
-  (module
-    (memory 0 1)
-    (data (i32.const 1))
-  )
-  "data segment does not fit"
+(module
+  (memory 0 1)
+  (data (i32.const 1))
 )
 
 ;; This seems to cause a time-out on Travis.
diff --git a/test/core/elem.wast b/test/core/elem.wast
@@ -166,12 +166,10 @@
   "elements segment does not fit"
 )
 
-(assert_unlinkable
-  (module
-    (table 0 funcref)
-    (elem (i32.const 1))
-  )
-  "elements segment does not fit"
+;; Writing 0 elems outside of bounds is allowed now.
+(module
+  (table 0 funcref)
+  (elem (i32.const 1))
 )
 
 (assert_unlinkable
diff --git a/test/core/memory_copy.wast b/test/core/memory_copy.wast
@@ -5001,7 +5001,7 @@
   (memory 1 1)
   (func (export "test")
     (memory.copy (i32.const 0x20000) (i32.const 0x7000) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (memory 1 1)
@@ -5013,7 +5013,7 @@
   (memory 1 1)
   (func (export "test")
     (memory.copy (i32.const 0x9000) (i32.const 0x20000) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (memory 1 1)
diff --git a/test/core/memory_fill.wast b/test/core/memory_fill.wast
@@ -114,7 +114,7 @@
 
   (func (export "test")
     (memory.fill (i32.const 0x20000) (i32.const 0x55) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds memory access")
+(invoke "test")
 
 (module
   (memory 1 1)
diff --git a/test/core/memory_init.wast b/test/core/memory_init.wast
@@ -270,7 +270,7 @@
     (data "\37")
   (func (export "test")
     (memory.init 0 (i32.const 1234) (i32.const 4) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (memory 1)
@@ -284,7 +284,7 @@
     (data "\37")
   (func (export "test")
     (memory.init 0 (i32.const 0x10001) (i32.const 0) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (memory 1)
diff --git a/test/core/table_copy.wast b/test/core/table_copy.wast
@@ -633,7 +633,7 @@
     (table.copy (i32.const 31) (i32.const 15) (i32.const 0))
     ))
 
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (table 30 30 funcref)
@@ -681,7 +681,7 @@
     (table.copy (i32.const 15) (i32.const 31) (i32.const 0))
     ))
 
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (table 30 30 funcref)
diff --git a/test/core/table_init.wast b/test/core/table_init.wast
@@ -446,7 +446,7 @@
   (func (export "test")
     (table.init 1 (i32.const 12) (i32.const 5) (i32.const 0))
     ))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (table 30 30 funcref)
@@ -492,7 +492,7 @@
   (func (export "test")
     (table.init 1 (i32.const 31) (i32.const 2) (i32.const 0))
     ))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 
 (module
   (table 30 30 funcref)
diff --git a/test/meta/generate_memory_copy.js b/test/meta/generate_memory_copy.js
@@ -304,13 +304,13 @@ print(
 (invoke "test")
 `);
 
-// Zero len with dest offset out-of-bounds past the end of memory is not allowed
+// Zero len with dest offset out-of-bounds past the end of memory is allowed
 print(
 `(module
   (memory 1 1)
   (func (export "test")
     (memory.copy (i32.const 0x20000) (i32.const 0x7000) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 `);
 
 // Zero len with src offset out-of-bounds at the end of memory is allowed
@@ -322,13 +322,13 @@ print(
 (invoke "test")
 `);
 
-// Zero len with src offset out-of-bounds past the end of memory is not allowed
+// Zero len with src offset out-of-bounds past the end of memory is allowed
 print(
 `(module
   (memory 1 1)
   (func (export "test")
     (memory.copy (i32.const 0x9000) (i32.const 0x20000) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 `);
 
 // Zero len with both dest and src offsets out-of-bounds at the end of memory is allowed
diff --git a/test/meta/generate_memory_fill.js b/test/meta/generate_memory_fill.js
@@ -56,13 +56,13 @@ print(
 (invoke "test")
 `);
 
-// Zero len with offset out-of-bounds past the end of memory is not allowed
+// Zero len with offset out-of-bounds past the end of memory is allowed
 print(
 `(module
   ${PREAMBLE}
   (func (export "test")
     (memory.fill (i32.const 0x20000) (i32.const 0x55) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds memory access")
+(invoke "test")
 `);
 
 // Very large range
diff --git a/test/meta/generate_memory_init.js b/test/meta/generate_memory_init.js
@@ -164,13 +164,13 @@ print(
 (assert_trap (invoke "test") "out of bounds")
 `);
 
-// init: seg ix is valid passive, zero len, but src offset past the end
+// init: seg ix is valid passive, src offset past the end, zero len is always valid
 print(
 `(module
   ${PREAMBLE}
   (func (export "test")
     (memory.init 0 (i32.const 1234) (i32.const 4) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 `);
 
 // init: seg ix is valid passive, zero len, src offset at the end
@@ -182,13 +182,13 @@ print(
 (invoke "test")
 `);
 
-// init: seg ix is valid passive, zero len, but dst offset past the end
+// init: seg ix is valid passive, dst offset past the end, zero len is always valid
 print(
 `(module
   ${PREAMBLE}
   (func (export "test")
     (memory.init 0 (i32.const 0x10001) (i32.const 0) (i32.const 0))))
-(assert_trap (invoke "test") "out of bounds")
+(invoke "test")
 `);
 
 // init: seg ix is valid passive, zero len, but dst offset at the end
diff --git a/test/meta/generate_table_copy.js b/test/meta/generate_table_copy.js
@@ -189,20 +189,20 @@ tab_test2("(table.copy (i32.const 30) (i32.const 15) (i32.const 0))",
          "",
          undefined);
 
-// copy: zero length with dst offset out of bounds past the end of the table is not allowed
+// copy: zero length with dst offset out of bounds past the end of the table is allowed
 tab_test2("(table.copy (i32.const 31) (i32.const 15) (i32.const 0))",
          "",
-         "out of bounds");
+         undefined);
 
 // copy: zero length with src offset out of bounds at the end of the table is allowed
 tab_test2("(table.copy (i32.const 15) (i32.const 30) (i32.const 0))",
          "",
          undefined);
 
-// copy: zero length with src offset out of bounds past the end of the table is not allowed
+// copy: zero length with src offset out of bounds past the end of the table is allowed
 tab_test2("(table.copy (i32.const 15) (i32.const 31) (i32.const 0))",
          "",
-         "out of bounds");
+         undefined);
 
 // copy: zero length with both dst and src offset out of bounds at the end of the table is allowed
 tab_test2("(table.copy (i32.const 30) (i32.const 30) (i32.const 0))",
diff --git a/test/meta/generate_table_init.js b/test/meta/generate_table_init.js
@@ -226,19 +226,19 @@ tab_test1("(table.init 1 (i32.const 12) (i32.const 4) (i32.const 0))",
           undefined);
 
 // init: seg ix is valid passive, zero len, and src offset out of bounds past the
-// end of the table - this is not allowed
+// end of the table - this is allowed
 tab_test1("(table.init 1 (i32.const 12) (i32.const 5) (i32.const 0))",
-          "out of bounds");
+          undefined);
 
 // init: seg ix is valid passive, zero len, and dst offset out of bounds at the
 // end of the table - this is allowed
 tab_test1("(table.init 1 (i32.const 30) (i32.const 2) (i32.const 0))",
           undefined);
 
 // init: seg ix is valid passive, zero len, and dst offset out of bounds past the
-// end of the table - this is not allowed
+// end of the table - this is allowed
 tab_test1("(table.init 1 (i32.const 31) (i32.const 2) (i32.const 0))",
-          "out of bounds");
+          undefined);
 
 // init: seg ix is valid passive, zero len, and dst and src offsets out of bounds
 // at the end of the table - this is allowed
