Bug 1598149 - Treat data/elem.drop as shrink-to-zero, disallow zero length past end of bounds. r=lth

Spec Issue: WebAssembly/bulk-memory-operations#124

The inline path for memory.copy/fill are updated to fallback to the OOL path
when the length is 0 to have proper bounds checking behavior.

Differential Revision: https://phabricator.services.mozilla.com/D54599

--HG--
extra : moz-landing-system : lando

Author: eqrion

js/src/jit-test/tests/wasm/declared-segs.js

@@ -32,9 +32,8 @@ function test(ins) {
 			)
 		`),
 		WebAssembly.RuntimeError,
-		'use of dropped element segment');
+		'index out of bounds');
 }
-test('(elem.drop 0)');
 test('(table.init 0 (i32.const 0) (i32.const 0) (i32.const 1))');
 
 // Declared segments don't cause initialization of a table

js/src/jit-test/tests/wasm/gc/tables-fill.js

@@ -57,7 +57,7 @@ function testTableFill(tbl_type, val_type, obj) {
 
   // Partly outside the table
   assertErrorMessage(() => ins.exports.fill1(8, obj[5], 3),
-                     RangeError, /table index out of bounds/);
+                     WebAssembly.RuntimeError, /index out of bounds/);
 
   assertEq(ins.exports.get1(7), null);
   assertEq(ins.exports.get1(8), null);
@@ -106,25 +106,26 @@ function testTableFill(tbl_type, val_type, obj) {
 
   // Length-one fill1 at the edge of the table fails
   assertErrorMessage(() => ins.exports.fill1(10, null, 1),
-                     RangeError, /table index out of bounds/);
+                     WebAssembly.RuntimeError, /index out of bounds/);
 
   // Length-more-than-one fill1 at the edge of the table fails
   assertErrorMessage(() => ins.exports.fill1(10, null, 2),
-                     RangeError, /table index out of bounds/);
+                     WebAssembly.RuntimeError, /index out of bounds/);
 
 
   // Boundary tests on table 1: beyond the edge of the table:
 
-  // Length-zero fill1 beyond the edge of the table must succeed
-  assertEq(ins.exports.fill1(11, null, 0), undefined);
+  // Length-zero fill1 beyond the edge of the table fails
+  assertErrorMessage(() => ins.exports.fill1(11, null, 0),
+                     WebAssembly.RuntimeError, /index out of bounds/);
 
   // Length-one fill1 beyond the edge of the table fails
   assertErrorMessage(() => ins.exports.fill1(11, null, 1),
-                     RangeError, /table index out of bounds/);
+                     WebAssembly.RuntimeError, /index out of bounds/);
 
   // Length-more-than-one fill1 beyond the edge of the table fails
   assertErrorMessage(() => ins.exports.fill1(11, null, 2),
-                     RangeError, /table index out of bounds/);
+                     WebAssembly.RuntimeError, /index out of bounds/);
 
   // Following all the above tests on table 1, check table 0 hasn't changed.
   check_table0();

js/src/jit-test/tests/wasm/import-export.js

@@ -510,7 +510,11 @@ var m = new Module(wasmTextToBinary(`
         (memory 0)
         (data (i32.const 0x10001) ""))
 `));
-assertEq(new Instance(m) instanceof Instance, true);
+if (wasmBulkMemSupported()) {
+    assertErrorMessage(() => new Instance(m), RuntimeError, /out of bounds/);
+} else {
+    assertEq(new Instance(m) instanceof Instance, true);
+}
 
 // Errors during segment initialization do not have observable effects
 // and are checked against the actual memory/table length, not the declared

js/src/jit-test/tests/wasm/passive-segs-boundary.js

@@ -178,12 +178,11 @@ mem_test("(memory.init 4 (i32.const 1234) (i32.const 1) (i32.const 1))", "",
          WebAssembly.CompileError, /memory.init segment index out of range/);
 
 // drop with data seg ix indicating an active segment
-mem_test("data.drop 2", "",
-         WebAssembly.RuntimeError, /use of dropped data segment/);
+mem_test("data.drop 2", "");
 
 // init with data seg ix indicating an active segment
 mem_test("(memory.init 2 (i32.const 1234) (i32.const 1) (i32.const 1))", "",
-         WebAssembly.RuntimeError, /use of dropped data segment/);
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // init, using a data seg ix more than once is OK
 mem_test_nofail(
@@ -192,13 +191,12 @@ mem_test_nofail(
 
 // drop, then drop
 mem_test("data.drop 1",
-         "data.drop 1",
-         WebAssembly.RuntimeError, /use of dropped data segment/);
+         "data.drop 1");
 
 // drop, then init
 mem_test("data.drop 1",
          "(memory.init 1 (i32.const 1234) (i32.const 1) (i32.const 1))",
-         WebAssembly.RuntimeError, /use of dropped data segment/);
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // init: seg ix is valid passive, but length to copy > len of seg
 mem_test("",
@@ -223,7 +221,8 @@ mem_test("",
 // init: seg ix is valid passive, zero len, but src offset out of bounds one
 // past the edge
 mem_test("",
-         "(memory.init 1 (i32.const 1234) (i32.const 5) (i32.const 0))");
+         "(memory.init 1 (i32.const 1234) (i32.const 5) (i32.const 0))",
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // init: seg ix is valid passive, zero len, but dst offset out of bounds at the
 // edge
@@ -233,7 +232,8 @@ mem_test("",
 // init: seg ix is valid passive, zero len, but dst offset out of bounds one
 // past the edge
 mem_test("",
-         "(memory.init 1 (i32.const 0x10001) (i32.const 2) (i32.const 0))");
+         "(memory.init 1 (i32.const 0x10001) (i32.const 2) (i32.const 0))",
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // drop: too many args
 mem_test("data.drop 1 (i32.const 42)", "",
@@ -305,12 +305,11 @@ tab_test("(table.init 4 (i32.const 12) (i32.const 1) (i32.const 1))", "",
          WebAssembly.CompileError, /table.init segment index out of range/);
 
 // drop with elem seg ix indicating an active segment
-tab_test("elem.drop 2", "",
-         WebAssembly.RuntimeError, /use of dropped element segment/);
+tab_test("elem.drop 2", "");
 
 // init with elem seg ix indicating an active segment
 tab_test("(table.init 2 (i32.const 12) (i32.const 1) (i32.const 1))", "",
-         WebAssembly.RuntimeError, /use of dropped element segment/);
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // init, using an elem seg ix more than once is OK
 tab_test_nofail(
@@ -319,13 +318,12 @@ tab_test_nofail(
 
 // drop, then drop
 tab_test("elem.drop 1",
-         "elem.drop 1",
-         WebAssembly.RuntimeError, /use of dropped element segment/);
+         "elem.drop 1");
 
 // drop, then init
 tab_test("elem.drop 1",
          "(table.init 1 (i32.const 12) (i32.const 1) (i32.const 1))",
-         WebAssembly.RuntimeError, /use of dropped element segment/);
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // init: seg ix is valid passive, but length to copy > len of seg
 tab_test("",
@@ -350,7 +348,8 @@ tab_test("",
 // init: seg ix is valid passive, zero len, but src offset out of bounds one
 // past the edge
 tab_test("",
-         "(table.init 1 (i32.const 12) (i32.const 5) (i32.const 0))");
+         "(table.init 1 (i32.const 12) (i32.const 5) (i32.const 0))",
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // init: seg ix is valid passive, zero len, but dst offset out of bounds
 tab_test("",
@@ -359,7 +358,8 @@ tab_test("",
 // init: seg ix is valid passive, zero len, but dst offset out of bounds one
 // past the edge
 tab_test("",
-         "(table.init 1 (i32.const 31) (i32.const 2) (i32.const 0))");
+         "(table.init 1 (i32.const 31) (i32.const 2) (i32.const 0))",
+         WebAssembly.RuntimeError, /index out of bounds/);
 
 // drop: too many args
 tab_test("elem.drop 1 (i32.const 42)", "",
@@ -433,12 +433,12 @@ tab_test("(table.copy (i32.const 30) (i32.const 15) (i32.const 0))",
 
 // copy: zero length with dst offset out of bounds one past the edge
 tab_test("(table.copy (i32.const 31) (i32.const 15) (i32.const 0))",
-         "");
+         "", WebAssembly.RuntimeError, /index out of bounds/);
 
 // copy: zero length with src offset out of bounds at the edge
 tab_test("(table.copy (i32.const 15) (i32.const 30) (i32.const 0))",
          "");
 
 // copy: zero length with src offset out of bounds one past the edge
 tab_test("(table.copy (i32.const 15) (i32.const 31) (i32.const 0))",
-         "");
+         "", WebAssembly.RuntimeError, /index out of bounds/);

js/src/jit-test/tests/wasm/passive-segs-nonboundary.js

@@ -572,7 +572,8 @@ function checkRange(arr, minIx, maxIxPlusOne, expectedValue)
        )
      )`
     );
-    inst.exports.testfn();
+    assertErrorMessage(() => inst.exports.testfn(),
+                       WebAssembly.RuntimeError, /index out of bounds/);
 }
 
 // Very large range
@@ -752,7 +753,8 @@ function checkRange(arr, minIx, maxIxPlusOne, expectedValue)
        )
      )`
     );
-    inst.exports.testfn();
+    assertErrorMessage(() => inst.exports.testfn(),
+                       WebAssembly.RuntimeError, /index out of bounds/);
 }
 
 // Zero len with src offset out-of-bounds at the edge of memory
@@ -778,7 +780,8 @@ function checkRange(arr, minIx, maxIxPlusOne, expectedValue)
        )
      )`
     );
-    inst.exports.testfn();
+    assertErrorMessage(() => inst.exports.testfn(),
+                       WebAssembly.RuntimeError, /index out of bounds/);
 }
 
 // 100 random fills followed by 100 random copies, in a single-page buffer,

js/src/js.msg

@@ -407,8 +407,6 @@ MSG_DEF(JSMSG_WASM_INT_DIVIDE_BY_ZERO, 0, JSEXN_WASMRUNTIMEERROR, "integer divid
 MSG_DEF(JSMSG_WASM_OUT_OF_BOUNDS,      0, JSEXN_WASMRUNTIMEERROR, "index out of bounds")
 MSG_DEF(JSMSG_WASM_UNALIGNED_ACCESS,   0, JSEXN_WASMRUNTIMEERROR, "unaligned memory access")
 MSG_DEF(JSMSG_WASM_WAKE_OVERFLOW,      0, JSEXN_WASMRUNTIMEERROR, "too many woken agents")
-MSG_DEF(JSMSG_WASM_DROPPED_DATA_SEG,   0, JSEXN_WASMRUNTIMEERROR, "use of dropped data segment")
-MSG_DEF(JSMSG_WASM_DROPPED_ELEM_SEG,   0, JSEXN_WASMRUNTIMEERROR, "use of dropped element segment")
 MSG_DEF(JSMSG_WASM_DEREF_NULL,         0, JSEXN_WASMRUNTIMEERROR, "dereferencing null pointer")
 MSG_DEF(JSMSG_WASM_BAD_RANGE ,         2, JSEXN_RANGEERR,    "bad {0} {1}")
 MSG_DEF(JSMSG_WASM_BAD_GROW,           1, JSEXN_RANGEERR,    "failed to grow {0}")

js/src/wasm/WasmBaselineCompile.cpp

@@ -10703,7 +10703,7 @@ bool BaseCompiler::emitMemCopy() {
 
   int32_t signedLength;
   if (MacroAssembler::SupportsFastUnalignedAccesses() &&
-      peekConstI32(&signedLength) &&
+      peekConstI32(&signedLength) && signedLength != 0 &&
       uint32_t(signedLength) <= MaxInlineMemoryCopyLength) {
     return emitMemCopyInline();
   }
@@ -10728,17 +10728,11 @@ bool BaseCompiler::emitMemCopyInline() {
   int32_t signedLength;
   MOZ_ALWAYS_TRUE(popConstI32(&signedLength));
   uint32_t length = signedLength;
+  MOZ_ASSERT(length != 0 && length <= MaxInlineMemoryCopyLength);
 
   RegI32 src = popI32();
   RegI32 dest = popI32();
 
-  // A zero length copy is a no-op and cannot trap
-  if (length == 0) {
-    freeI32(src);
-    freeI32(dest);
-    return true;
-  }
-
   // Compute the number of copies of each width we will need to do
   size_t remainder = length;
 #ifdef JS_64BIT
@@ -10980,7 +10974,7 @@ bool BaseCompiler::emitMemFill() {
   int32_t signedLength;
   int32_t signedValue;
   if (MacroAssembler::SupportsFastUnalignedAccesses() &&
-      peek2xI32(&signedLength, &signedValue) &&
+      peek2xI32(&signedLength, &signedValue) && signedLength != 0 &&
       uint32_t(signedLength) <= MaxInlineMemoryFillLength) {
     return emitMemFillInline();
   }
@@ -11003,15 +10997,10 @@ bool BaseCompiler::emitMemFillInline() {
   MOZ_ALWAYS_TRUE(popConstI32(&signedValue));
   uint32_t length = uint32_t(signedLength);
   uint32_t value = uint32_t(signedValue);
+  MOZ_ASSERT(length != 0 && length <= MaxInlineMemoryFillLength);
 
   RegI32 dest = popI32();
 
-  // A zero length copy is a no-op and cannot trap
-  if (length == 0) {
-    freeI32(dest);
-    return true;
-  }
-
   // Compute the number of copies of each width we will need to do
   size_t remainder = length;
 #ifdef JS_64BIT

js/src/wasm/WasmInstance.cpp

@@ -463,11 +463,6 @@ inline int32_t WasmMemoryCopy(T memBase, uint32_t memLen,
   uint64_t srcOffsetLimit = uint64_t(srcByteOffset) + uint64_t(len);
 
   if (dstOffsetLimit > memLen || srcOffsetLimit > memLen) {
-    if (len == 0) {
-      // Zero length copies that are out-of-bounds do not trap.
-      return 0;
-    }
-
     JSContext* cx = TlsContext.get();
     JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
                               JSMSG_WASM_OUT_OF_BOUNDS);
@@ -515,9 +510,7 @@ inline int32_t WasmMemoryCopy(T memBase, uint32_t memLen,
                      "ensured by validation");
 
   if (!instance->passiveDataSegments_[segIndex]) {
-    JS_ReportErrorNumberASCII(TlsContext.get(), GetErrorMessage, nullptr,
-                              JSMSG_WASM_DROPPED_DATA_SEG);
-    return -1;
+    return 0;
   }
 
   SharedDataSegment& segRefPtr = instance->passiveDataSegments_[segIndex];
@@ -535,11 +528,6 @@ inline int32_t WasmMemoryFill(T memBase, uint32_t memLen, uint32_t byteOffset,
   uint64_t offsetLimit = uint64_t(byteOffset) + uint64_t(len);
 
   if (offsetLimit > memLen) {
-    if (len == 0) {
-      // Zero length fills that are out-of-bounds do not trap.
-      return 0;
-    }
-
     JSContext* cx = TlsContext.get();
     JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
                               JSMSG_WASM_OUT_OF_BOUNDS);
@@ -586,15 +574,13 @@ inline int32_t WasmMemoryFill(T memBase, uint32_t memLen, uint32_t byteOffset,
   MOZ_RELEASE_ASSERT(size_t(segIndex) < instance->passiveDataSegments_.length(),
                      "ensured by validation");
 
-  // Zero length inits that are out-of-bounds do not trap, even if the segment
-  // has been dropped.
-  if (len == 0) {
-    return 0;
-  }
-
   if (!instance->passiveDataSegments_[segIndex]) {
+    if (len == 0 && srcOffset == 0) {
+      return 0;
+    }
+
     JS_ReportErrorNumberASCII(TlsContext.get(), GetErrorMessage, nullptr,
-                              JSMSG_WASM_DROPPED_DATA_SEG);
+                              JSMSG_WASM_OUT_OF_BOUNDS);
     return -1;
   }
 
@@ -652,11 +638,6 @@ inline int32_t WasmMemoryFill(T memBase, uint32_t memLen, uint32_t byteOffset,
   uint64_t srcOffsetLimit = uint64_t(srcOffset) + len;
 
   if (dstOffsetLimit > dstTableLen || srcOffsetLimit > srcTableLen) {
-    // Zero length copies that are out-of-bounds do not trap.
-    if (len == 0) {
-      return 0;
-    }
-
     JS_ReportErrorNumberASCII(TlsContext.get(), GetErrorMessage, nullptr,
                               JSMSG_WASM_OUT_OF_BOUNDS);
     return -1;
@@ -696,9 +677,7 @@ inline int32_t WasmMemoryFill(T memBase, uint32_t memLen, uint32_t byteOffset,
                      "ensured by validation");
 
   if (!instance->passiveElemSegments_[segIndex]) {
-    JS_ReportErrorNumberASCII(TlsContext.get(), GetErrorMessage, nullptr,
-                              JSMSG_WASM_DROPPED_ELEM_SEG);
-    return -1;
+    return 0;
   }
 
   SharedElemSegment& segRefPtr = instance->passiveElemSegments_[segIndex];
@@ -776,15 +755,13 @@ bool Instance::initElems(uint32_t tableIndex, const ElemSegment& seg,
   MOZ_RELEASE_ASSERT(size_t(segIndex) < instance->passiveElemSegments_.length(),
                      "ensured by validation");
 
-  // Zero length inits that are out-of-bounds do not trap, even if the segment
-  // has been dropped.
-  if (len == 0) {
-    return 0;
-  }
-
   if (!instance->passiveElemSegments_[segIndex]) {
+    if (len == 0 && srcOffset == 0) {
+      return 0;
+    }
+
     JS_ReportErrorNumberASCII(TlsContext.get(), GetErrorMessage, nullptr,
-                              JSMSG_WASM_DROPPED_ELEM_SEG);
+                              JSMSG_WASM_OUT_OF_BOUNDS);
     return -1;
   }
 
@@ -830,13 +807,8 @@ bool Instance::initElems(uint32_t tableIndex, const ElemSegment& seg,
   uint64_t offsetLimit = uint64_t(start) + uint64_t(len);
 
   if (offsetLimit > table.length()) {
-    // Zero length fills that are out-of-bounds do not trap.
-    if (len == 0) {
-      return 0;
-    }
-
     JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
-                              JSMSG_WASM_TABLE_OUT_OF_BOUNDS);
+                              JSMSG_WASM_OUT_OF_BOUNDS);
     return -1;
   }