Fix fuzzer generation of a DataSegment + add validation that would have caught it (#6626)

kripken · web-flow · commit 9b61eb3ab9c9 · 2024-05-23T16:06:19.000-07:00
The DataSegment was manually added to .dataSegments, but we need to add it
using addDataSegment so the maps are updated and getDataSegment(name)
works.

Also add validation that would have caught this earlier: check that each item in
the item lists can be fetched by name.
diff --git a/src/tools/fuzzing/fuzzing.cpp b/src/tools/fuzzing/fuzzing.cpp
@@ -224,13 +224,14 @@ void TranslateToFuzzReader::setupMemory() {
     auto segment = builder.makeDataSegment();
     segment->memory = memory->name;
     segment->offset = builder.makeConst(int32_t(0));
-    segment->setName(Name::fromInt(0), false);
-    wasm.dataSegments.push_back(std::move(segment));
+    segment->setName(Names::getValidDataSegmentName(wasm, Name::fromInt(0)),
+                     false);
     auto num = upTo(USABLE_MEMORY * 2);
     for (size_t i = 0; i < num; i++) {
       auto value = upTo(512);
-      wasm.dataSegments[0]->data.push_back(value >= 256 ? 0 : (value & 0xff));
+      segment->data.push_back(value >= 256 ? 0 : (value & 0xff));
     }
+    wasm.addDataSegment(std::move(segment));
   }
 }
 
diff --git a/src/wasm/wasm-validator.cpp b/src/wasm/wasm-validator.cpp
@@ -3908,7 +3908,7 @@ static void validateTags(Module& module, ValidationInfo& info) {
   }
 }
 
-static void validateModule(Module& module, ValidationInfo& info) {
+static void validateStart(Module& module, ValidationInfo& info) {
   // start
   if (module.start.is()) {
     auto func = module.getFunctionOrNull(module.start);
@@ -3924,6 +3924,59 @@ static void validateModule(Module& module, ValidationInfo& info) {
   }
 }
 
+namespace {
+template<typename T, typename U>
+void validateModuleMap(Module& module,
+                       ValidationInfo& info,
+                       T& list,
+                       U getter,
+                       const std::string& kind) {
+  // Given a list of module elements (like exports or globals), see that we can
+  // get the items using the getter (getExportorNull, etc.). The getter uses the
+  // lookup map internally, so this validates that they contain all items in
+  // the list.
+  for (auto& item : list) {
+    auto* ptr = (module.*getter)(item->name);
+    if (!ptr) {
+      info.fail(kind + " must be found (use updateMaps)", item->name, nullptr);
+    } else {
+      info.shouldBeEqual(item->name,
+                         ptr->name,
+                         item->name,
+                         "getter must return the correct item");
+    }
+  }
+
+  // TODO: Also check there is nothing extraneous in the map, but that would
+  //       require inspecting private fields of Module.
+}
+} // anonymous namespace
+
+static void validateModuleMaps(Module& module, ValidationInfo& info) {
+  // Module maps should be up to date.
+  validateModuleMap(
+    module, info, module.exports, &Module::getExportOrNull, "Export");
+  validateModuleMap(
+    module, info, module.functions, &Module::getFunctionOrNull, "Function");
+  validateModuleMap(
+    module, info, module.globals, &Module::getGlobalOrNull, "Global");
+  validateModuleMap(module, info, module.tags, &Module::getTagOrNull, "Tag");
+  validateModuleMap(module,
+                    info,
+                    module.elementSegments,
+                    &Module::getElementSegmentOrNull,
+                    "ElementSegment");
+  validateModuleMap(
+    module, info, module.memories, &Module::getMemoryOrNull, "Memory");
+  validateModuleMap(module,
+                    info,
+                    module.dataSegments,
+                    &Module::getDataSegmentOrNull,
+                    "DataSegment");
+  validateModuleMap(
+    module, info, module.tables, &Module::getTableOrNull, "Table");
+}
+
 static void validateFeatures(Module& module, ValidationInfo& info) {
   if (module.features.hasGC()) {
     info.shouldBeTrue(module.features.hasReferenceTypes(),
@@ -4004,7 +4057,8 @@ bool WasmValidator::validate(Module& module, Flags flags) {
     validateDataSegments(module, info);
     validateTables(module, info);
     validateTags(module, info);
-    validateModule(module, info);
+    validateStart(module, info);
+    validateModuleMaps(module, info);
     validateFeatures(module, info);
     if (info.closedWorld) {
       validateClosedWorldInterface(module, info);

Original file line number	Diff line number	Diff line change
`@@ -224,13 +224,14 @@ void TranslateToFuzzReader::setupMemory() {`
`224`	`224`	`auto segment = builder.makeDataSegment();`
`225`	`225`	`segment->memory = memory->name;`
`226`	`226`	`segment->offset = builder.makeConst(int32_t(0));`
`227`		`- segment->setName(Name::fromInt(0), false);`
`228`		`- wasm.dataSegments.push_back(std::move(segment));`
	`227`	`+ segment->setName(Names::getValidDataSegmentName(wasm, Name::fromInt(0)),`
	`228`	`+ false);`
`229`	`229`	`auto num = upTo(USABLE_MEMORY * 2);`
`230`	`230`	`for (size_t i = 0; i < num; i++) {`
`231`	`231`	`auto value = upTo(512);`
`232`		`- wasm.dataSegments[0]->data.push_back(value >= 256 ? 0 : (value & 0xff));`
	`232`	`+ segment->data.push_back(value >= 256 ? 0 : (value & 0xff));`
`233`	`233`	`}`
	`234`	`+ wasm.addDataSegment(std::move(segment));`
`234`	`235`	`}`
`235`	`236`	`}`
`236`	`237`