js/src/jit-test/tests/wasm/memory-partial-oob-store.js


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

// Cloned from memory.js but kept separate because it may have to be disabled on
// some devices until bugs are fixed.

// Bug 1666747 - partially OOB unaligned stores are not handled correctly on ARM
// and ARM64.  The simulators don't implement the correct semantics anyhow, so
// when the bug is fixed in the code generator they must remain excluded here.
var conf = getBuildConfiguration();
var excluded = conf.arm64 || conf["arm64-simulator"] || conf.arm || conf["arm-simulator"];
var thirtytwobit = conf["pointer-byte-size"] == 4;

const RuntimeError = WebAssembly.RuntimeError;

function storeModuleSrc(type, ext, offset, align) {
    var load_ext = ext === '' ? '' : ext + '_s';
    return `(module
       (memory (export "mem") 1)
       (data (i32.const 0) "\\00\\01\\02\\03\\04\\05\\06\\07\\08\\09\\0a\\0b\\0c\\0d\\0e\\0f")
       (data (i32.const 16) "\\f0\\f1\\f2\\f3\\f4\\f5\\f6\\f7\\f8\\f9\\fa\\fb\\fc\\fd\\fe\\ff")
       (func $store (param i32) (param ${type})
         (${type}.store${ext}
          offset=${offset}
          ${align != 0 ? 'align=' + align : ''}
          (local.get 0)
          (local.get 1)
         )
       ) (export "store" (func 0))
       (func $load (param i32) (result ${type})
        (${type}.load${load_ext}
         offset=${offset}
         ${align != 0 ? 'align=' + align : ''}
         (local.get 0)
        )
       ) (export "load" (func 1)))`;
}

function storeModule(type, ext, offset, align, exportBox = null) {
    let exports = wasmEvalText(storeModuleSrc(type, ext, offset, align)).exports;
    if (exportBox !== null)
        exportBox.exports = exports;
    return exports;
}

function testStoreOOB(type, ext, base, offset, align, value) {
    let exportBox = {};
    if (type === 'i64') {
        assertErrorMessage(() => wasmAssert(
            storeModuleSrc(type, ext, offset, align),
            [{type, func: '$store', args: [`i32.const ${base}`, `i64.const ${value}`]}],
            {},
            exportBox
        ), RuntimeError, /index out of bounds/);
    } else {
        assertErrorMessage(() => storeModule(type, ext, offset, align, exportBox).store(base, value),
                           RuntimeError,
                           /index out of bounds/);
    }

    // Check that there were no partial writes at the end of the memory.
    let buf = new Int8Array(exportBox.exports.mem.buffer);
    let len = buf.length;
    for ( let addr = base + offset ; addr < len; addr++ )
        assertEq(buf[addr], 0);
}

// Test bounds checks and edge cases.

for (let align of [0,1,2,4]) {

    for (let offset of [0, 1, 2, 3, 4, 8, 16, 41, 0xfff0, 0xfff8]) {
        // Accesses of 1 byte.
        let lastValidIndex = 0x10000 - 1 - offset;
        if (align < 2 && !excluded) {
            testStoreOOB('i32', '8', lastValidIndex + 1, offset, align, -42);
        }

        // Accesses of 2 bytes.
        lastValidIndex = 0x10000 - 2 - offset;
        if (align < 4 && !excluded) {
            testStoreOOB('i32', '16', lastValidIndex + 1, offset, align, -32768);
        }

        // Accesses of 4 bytes.
        lastValidIndex = 0x10000 - 4 - offset;
        if (!excluded) {
            testStoreOOB('i32', '', lastValidIndex + 1, offset, align, 1337);
            testStoreOOB('f32', '', lastValidIndex + 1, offset, align, Math.fround(13.37));
        }

        // Accesses of 8 bytes.
        lastValidIndex = 0x10000 - 8 - offset;
        if (!excluded) {
            testStoreOOB('f64', '', lastValidIndex + 1, offset, align, 1.23456789);
        }
    }

    for (let offset of [0, 1, 2, 3, 4, 8, 16, 41, 0xfff0, 0xfff8]) {
        // Accesses of 1 byte.
        let lastValidIndex = 0x10000 - 1 - offset;
        if (align < 2 && !excluded) {
            testStoreOOB('i64', '8', lastValidIndex + 1, offset, align, -42);
        }

        // Accesses of 2 bytes.
        lastValidIndex = 0x10000 - 2 - offset;
        if (align < 4 && !excluded) {
            testStoreOOB('i64', '16', lastValidIndex + 1, offset, align, -32768);
        }

        // Accesses of 4 bytes.
        lastValidIndex = 0x10000 - 4 - offset;
        if (!excluded) {
            testStoreOOB('i64', '32', lastValidIndex + 1, offset, align, 0xf1231337 | 0);
        }

        // Accesses of 8 bytes.
        lastValidIndex = 0x10000 - 8 - offset;
        if (!excluded) {
            testStoreOOB('i64', '', lastValidIndex + 1, offset, align, '0x1234567887654321');
        }
    }
}

// On 32-bit platforms, a declared-aligned i64 store is implemented as two
// presumed-aligned 32-bit stores.  This tests that we don't store the low
// word before the high word if the low word is in-bounds but the high word
// is not.
if (thirtytwobit) {
    testStoreOOB('i64', '', 0x10000 - 4, 0, 0, '0x0123456789abcdef');
}