blob: ff10c555ce862a23f7e2ba71d3626895249875bf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
;; NOTE: Assertions have been generated by update_lit_checks.py --output=fuzz-exec and should not be edited.
;; RUN: wasm-opt %s -all --fuzz-exec -q -o /dev/null 2>&1 | filecheck %s
(module
(type $array (array (mut i8)))
(type $array-func (array (mut funcref)))
(table $table 10 10 funcref)
(elem $active (i32.const 0) $func)
(elem $passive $func)
;; CHECK: [fuzz-exec] calling func
;; CHECK-NEXT: [fuzz-exec] note result: func => 1
(func $func (export "func") (result i32)
;; Verifies the order of execution is correct - we should return 1, not 2.
(array.new $array
(return (i32.const 1))
(return (i32.const 2))
)
)
;; CHECK: [fuzz-exec] calling new_active
;; CHECK-NEXT: [trap out of bounds segment access in array.new_elem]
(func $new_active (export "new_active")
;; Even though this is reading 0 items, offset 1 is out of bounds in that
;; dropped element segment, and this traps.
(drop
(array.new_elem $array-func $active
(i32.const 1)
(i32.const 0)
)
)
)
;; CHECK: [fuzz-exec] calling new_active_in_bounds
(func $new_active_in_bounds (export "new_active_in_bounds")
;; Even though this is dropped, we read 0 from offset 0, which is ok.
(drop
(array.new_elem $array-func $active
(i32.const 0)
(i32.const 0)
)
)
)
;; CHECK: [fuzz-exec] calling new_passive
(func $new_passive (export "new_passive")
;; Using the passive segment here works.
(drop
(array.new_elem $array-func $passive
(i32.const 1)
(i32.const 0)
)
)
)
;; CHECK: [fuzz-exec] calling init_active
;; CHECK-NEXT: [trap out of bounds segment access in array.init_elem]
(func $init_active (export "init_active")
;; Even though this is reading 0 items, offset 1 is out of bounds in that
;; dropped element segment, and this traps.
(array.init_elem $array-func $active
(array.new_default $array-func
(i32.const 100)
)
(i32.const 50)
(i32.const 1)
(i32.const 0)
)
)
;; CHECK: [fuzz-exec] calling init_active_in_bounds
(func $init_active_in_bounds (export "init_active_in_bounds")
;; Even though this is dropped, we read 0 from offset 0, which is ok.
(array.init_elem $array-func $active
(array.new_default $array-func
(i32.const 100)
)
(i32.const 50)
(i32.const 0)
(i32.const 0)
)
)
;; CHECK: [fuzz-exec] calling init_passive
(func $init_passive (export "init_passive")
;; This works ok.
(array.init_elem $array-func $passive
(array.new_default $array-func
(i32.const 100)
)
(i32.const 50)
(i32.const 1)
(i32.const 0)
)
)
)
;; CHECK: [fuzz-exec] calling func
;; CHECK-NEXT: [fuzz-exec] note result: func => 1
;; CHECK: [fuzz-exec] calling new_active
;; CHECK-NEXT: [trap out of bounds segment access in array.new_elem]
;; CHECK: [fuzz-exec] calling new_active_in_bounds
;; CHECK: [fuzz-exec] calling new_passive
;; CHECK: [fuzz-exec] calling init_active
;; CHECK-NEXT: [trap out of bounds segment access in array.init_elem]
;; CHECK: [fuzz-exec] calling init_active_in_bounds
;; CHECK: [fuzz-exec] calling init_passive
;; CHECK-NEXT: [fuzz-exec] comparing func
;; CHECK-NEXT: [fuzz-exec] comparing init_active
;; CHECK-NEXT: [fuzz-exec] comparing init_active_in_bounds
;; CHECK-NEXT: [fuzz-exec] comparing init_passive
;; CHECK-NEXT: [fuzz-exec] comparing new_active
;; CHECK-NEXT: [fuzz-exec] comparing new_active_in_bounds
;; CHECK-NEXT: [fuzz-exec] comparing new_passive
|
