[wasm][fuzzer] Do not execute modules with start function

In the WebAssembly fuzzers we detect infinite loops with the interpreter: if the interpreter does not finish after a finite number of steps, we do not execute the compiled code. However, we cannot redirect the start function to the interpreter in the fuzzer, and therefore we cannot detect infinite loops in the start function. With this CL we avoid the problem completely by not instantiating a module in the fuzzer which has a start function. Note that the module still gets compiled. R=clemensh@chromium.org Bug: chromium:858914 Change-Id: Icbbe9a003544918d5267cdd1d9405b21bb681133 Reviewed-on: https://chromium-review.googlesource.com/1126766 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#54246}

[wasm][fuzzer] Do not execute modules with start function
In the WebAssembly fuzzers we detect infinite loops with the interpreter: if the interpreter does not finish after a finite number of steps, we do not execute the compiled code. However, we cannot redirect the start function to the interpreter in the fuzzer, and therefore we cannot detect infinite loops in the start function. With this CL we avoid the problem completely by not instantiating a module in the fuzzer which has a start function. Note that the module still gets compiled. R=clemensh@chromium.org Bug: chromium:858914 Change-Id: Icbbe9a003544918d5267cdd1d9405b21bb681133 Reviewed-on: https://chromium-review.googlesource.com/1126766 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#54246}
df41fa7a · Andreas Haas · Commit Bot · f8e76e4b · df41fa7a
Commit df41fa7a authored Jul 05, 2018 by Andreas Haas Committed by Commit Bot Jul 05, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

wasm-fuzzer-common.cc test/fuzzer/wasm-fuzzer-common.cc +4 -0

No files found.
--- a/test/fuzzer/wasm-fuzzer-common.cc
+++ b/test/fuzzer/wasm-fuzzer-common.cc
@@ -67,6 +67,10 @@ int FuzzWasmSection(SectionCode section, const uint8_t* data, size_t size) {

 void InterpretAndExecuteModule(i::Isolate* isolate,
                               Handle<WasmModuleObject> module_object) {
+  // We do not instantiate the module if there is a start function, because a
+  // start function can contain an infinite loop which we cannot handle.
+  if (module_object->module()->start_function_index >= 0) return;
+
  ErrorThrower thrower(isolate, "WebAssembly Instantiation");
  MaybeHandle<WasmInstanceObject> maybe_instance;
  Handle<WasmInstanceObject> instance;