Validate type references by index (#2584)

Author: zherczeg

include/wabt/shared-validator.h

@@ -72,6 +72,7 @@ class SharedValidator {
                     Index type_index);
   Result OnStructType(const Location&, Index field_count, TypeMut* fields);
   Result OnArrayType(const Location&, TypeMut field);
+  Result EndTypeSection();
 
   Result OnFunction(const Location&, Var sig_var);
   Result OnTable(const Location&, Type elem_type, const Limits&);
@@ -294,6 +295,7 @@ class SharedValidator {
                    Type actual,
                    Type expected,
                    const char* desc);
+  Result CheckReferenceType(const Location&, Type type, const char* desc);
   Result CheckLimits(const Location&,
                      const Limits&,
                      uint64_t absolute_max,

src/shared-validator.cc

@@ -76,6 +76,21 @@ Result SharedValidator::OnArrayType(const Location&, TypeMut field) {
   return Result::Ok;
 }
 
+Result SharedValidator::EndTypeSection() {
+  Result result = Result::Ok;
+
+  for (auto func_type : func_types_) {
+    for (auto type : func_type.second.params) {
+      result |= CheckReferenceType(Location(), type, "params");
+    }
+
+    for (auto type : func_type.second.results) {
+      result |= CheckReferenceType(Location(), type, "results");
+    }
+  }
+  return result;
+}
+
 Result SharedValidator::OnFunction(const Location& loc, Var sig_var) {
   Result result = Result::Ok;
   FuncType type;
@@ -197,6 +212,22 @@ Result SharedValidator::CheckType(const Location& loc,
   return Result::Ok;
 }
 
+Result SharedValidator::CheckReferenceType(const Location& loc,
+                                           Type type,
+                                           const char* desc) {
+  if (type.IsReferenceWithIndex()) {
+    Index index = type.GetReferenceIndex();
+    auto iter = func_types_.find(index);
+
+    if (iter == func_types_.end()) {
+      return PrintError(loc, "reference %d is out of range in %s",
+                        static_cast<int>(index), desc);
+    }
+  }
+
+  return Result::Ok;
+}
+
 Result SharedValidator::OnTag(const Location& loc, Var sig_var) {
   Result result = Result::Ok;
   FuncType type;
@@ -479,6 +510,9 @@ Result SharedValidator::OnLocalDecl(const Location& loc,
     PrintError(loc, "local count must be < 0x10000000");
     return Result::Error;
   }
+
+  CHECK_RESULT(CheckReferenceType(loc, type, "locals"));
+
   locals_.push_back(LocalDecl{type, GetLocalCount() + count});
   return Result::Ok;
 }

src/validator.cc

@@ -736,6 +736,8 @@ Result Validator::CheckModule() {
     }
   }
 
+  result_ |= validator_.EndTypeSection();
+
   // Import section.
   for (const ModuleField& field : module->fields) {
     if (auto* f = dyn_cast<ImportModuleField>(&field)) {

src/wast-parser.cc

@@ -542,6 +542,11 @@ void AppendInlineExportFields(Module* module,
   module->AppendFields(fields);
 }
 
+bool IsIndexLikelyType(Index index) {
+  // TODO: Incorrect values can be misinterpreted by the parser.
+  return index >= static_cast<Index>(Type::Void);
+}
+
 }  // End of anonymous namespace
 
 WastParser::WastParser(WastLexer* lexer,
@@ -937,10 +942,10 @@ Result WastParser::ParseValueTypeList(TypeVector* out_type_list,
     CHECK_RESULT(ParseValueType(&type));
 
     if (type.is_index()) {
-      // TODO: Incorrect values can be misinterpreted by the parser.
-      if (type.index() >= static_cast<Index>(Type::Void)) {
+      if (IsIndexLikelyType(type.index())) {
         out_type_list->push_back(Type(type.index()));
       } else {
+        type_vars->push_back(ReferenceVar(out_type_list->size(), type));
         out_type_list->push_back(Type(Type::Reference, type.index()));
       }
     } else {
@@ -1313,11 +1318,24 @@ Result WastParser::ResolveRefTypes(const Module& module,
 
     assert(type.IsReferenceWithIndex());
 
+    if (ref_var.var.is_index()) {
+      if (type.GetReferenceIndex() >= module.types.size()) {
+        errors->emplace_back(
+            ErrorLevel::Error, ref_var.var.loc,
+            StringPrintf("reference type out of range: %d (max: %d)",
+                         static_cast<int>(type.GetReferenceIndex()),
+                         static_cast<int>(module.types.size())));
+        result = Result::Error;
+      }
+      continue;
+    }
+
     if (type.GetReferenceIndex() != kInvalidIndex) {
+      // Resolved earlier.
       continue;
     }
 
-    const auto type_index = module.type_bindings.FindIndex(ref_var.var.name());
+    Index type_index = module.type_bindings.FindIndex(ref_var.var.name());
 
     if (type_index == kInvalidIndex) {
       errors->emplace_back(ErrorLevel::Error, ref_var.var.loc,
@@ -2057,7 +2075,12 @@ Result WastParser::ParseBoundValueTypeList(TokenType token,
       bindings->emplace(name,
                         Binding(loc, binding_index_offset + types->size()));
       if (type.is_index()) {
-        types->push_back(Type(type.index()));
+        if (IsIndexLikelyType(type.index())) {
+          types->push_back(Type(type.index()));
+        } else {
+          type_vars->push_back(ReferenceVar(types->size(), type));
+          types->push_back(Type(Type::Reference, type.index()));
+        }
       } else {
         assert(type.is_name());
         assert(options_->features.function_references_enabled());

test/binary/bad-reference-indicies.txt

@@ -0,0 +1,26 @@
+;;; TOOL: run-gen-wasm-bad
+;;; ARGS1: --enable-function-references
+;;; ARGS2: --enable-function-references
+magic
+version
+section(TYPE) {
+  count[2]
+  function params[1] reference 10 results[1] reference 20
+  function params[0] results[0]
+}
+section(FUNCTION) { count[1] sig[1] }
+section(CODE) {
+  count[1]
+  func {
+    local_decls[1]
+    locals[1] reference 30
+  }
+}
+(;; STDERR ;;;
+0000000: error: reference 10 is out of range in params
+0000000: error: reference 20 is out of range in results
+out/test/binary/bad-reference-indicies/bad-reference-indicies.wasm:000001d: error: reference 30 is out of range in locals
+0000000: error: reference 10 is out of range in params
+0000000: error: reference 20 is out of range in results
+out/test/binary/bad-reference-indicies/bad-reference-indicies.wasm:000001d: error: reference 30 is out of range in locals
+;;; STDERR ;;)

test/gen-wasm.py

@@ -43,6 +43,7 @@
     'f64': 0x7c,    # -4
     'v128': 0x7b,    # -5
     'funcref': 0x70,    # -0x10
+    'reference': 0x6b,    # -0x15
     'function': 0x60,    # -0x20
     'struct': 0x5f,    # -0x21
     'array': 0x5e,    # -0x22

test/parse/bad-references.txt

@@ -0,0 +1,29 @@
+;;; TOOL: wat2wasm
+;;; ARGS: --enable-function-references
+;;; ERROR: 1
+(module
+  ;; Implicit type declarations are not allowed
+  (type $t0 (func (param (ref 2))))
+  (type $t1 (func (param (ref 33)) (result (ref 444))))
+
+  (func $f (param $p1 (ref 5555))
+    (local $p2 (ref 66666))
+  )
+)
+(;; STDERR ;;;
+out/test/parse/bad-references.txt:6:31: error: reference type out of range: 2 (max: 2)
+  (type $t0 (func (param (ref 2))))
+                              ^
+out/test/parse/bad-references.txt:7:31: error: reference type out of range: 33 (max: 2)
+  (type $t1 (func (param (ref 33)) (result (ref 444))))
+                              ^^
+out/test/parse/bad-references.txt:7:49: error: reference type out of range: 444 (max: 2)
+  (type $t1 (func (param (ref 33)) (result (ref 444))))
+                                                ^^^
+out/test/parse/bad-references.txt:9:28: error: reference type out of range: 5555 (max: 2)
+  (func $f (param $p1 (ref 5555))
+                           ^^^^
+out/test/parse/bad-references.txt:10:21: error: reference type out of range: 66666 (max: 2)
+    (local $p2 (ref 66666))
+                    ^^^^^
+;;; STDERR ;;)