[EH] Fuzzer: Add WebAssembly.JSTag fuzzing (#7283)

This JS API represents the tag of JS exceptions. Import it into the wasm
so that wasm can catch and throw JS exceptions.

Rename the previous "jsTag", which means "wasm tag created in JS" to
"wasmTag" to avoid confusion.

Author: kripken

scripts/fuzz_opt.py

@@ -1372,6 +1372,18 @@ def can_run_on_wasm(self, wasm):
         return not wasm_notices_export_changes(wasm)
 
 
+# see https://github.com/WebAssembly/binaryen/issues/6823#issuecomment-2649122032
+# as the interpreter refers to tags by name, two imports of the same Tag give it
+# two different names, but they should behave as if they are one.
+def wasm_has_duplicate_tags(wasm):
+    # as with wasm_notices_export_changes, we could be more precise here and
+    # disassemble the wasm.
+    binary = open(wasm, 'rb').read()
+    # check if we import jstag or wasmtag, which are used in the wasm, so any
+    # duplication may hit the github issue mentioned above.
+    return binary.count(b'jstag') >= 2 or binary.count(b'wasmtag') >= 2
+
+
 # Tests wasm-merge
 class Merge(TestCaseHandler):
     frequency = 0.15
@@ -1424,6 +1436,10 @@ def handle(self, wasm):
             abspath('second.wasm'), 'second', '-o', merged,
             '--skip-export-conflicts'] + FEATURE_OPTS + ['-all'])
 
+        if wasm_has_duplicate_tags(merged):
+            note_ignored_vm_run('dupe_tags')
+            return
+
         # sometimes also optimize the merged module
         if random.random() < 0.5:
             opts = get_random_opts()

scripts/fuzz_shell.js

@@ -272,7 +272,7 @@ var imports = {
       if (!which) {
         throw 'some JS error';
       } else {
-        throw new WebAssembly.Exception(jsTag, [which]);
+        throw new WebAssembly.Exception(wasmTag, [which]);
       }
     },
 
@@ -333,10 +333,13 @@ var imports = {
 // If Tags are available, add some.
 if (typeof WebAssembly.Tag !== 'undefined') {
   // A tag for general use in the fuzzer.
-  var jsTag = imports['fuzzing-support']['tag'] = new WebAssembly.Tag({
+  var wasmTag = imports['fuzzing-support']['wasmtag'] = new WebAssembly.Tag({
     'parameters': ['i32']
   });
 
+  // The JSTag that represents a JS tag.
+  imports['fuzzing-support']['jstag'] = WebAssembly.JSTag;
+
   // This allows j2wasm content to run in the fuzzer.
   imports['imports'] = {
     'j2wasm.ExceptionUtils.tag': new WebAssembly.Tag({

src/tools/execution-results.h

@@ -42,8 +42,13 @@ struct LoggingExternalInterface : public ShellExternalInterface {
   Name exportedTable;
   Module& wasm;
 
-  // The name of the imported fuzzing tag.
-  Name fuzzTag;
+  // The name of the imported fuzzing tag for wasm.
+  Name wasmTag;
+
+  // The name of the imported tag for js exceptions. If it is not imported, we
+  // use a default name here (which should differentiate it from any wasm
+  // exceptions).
+  Name jsTag = "__private";
 
   // The ModuleRunner and this ExternalInterface end up needing links both ways,
   // so we cannot init this in the constructor.
@@ -60,9 +65,12 @@ struct LoggingExternalInterface : public ShellExternalInterface {
     }
 
     for (auto& tag : wasm.tags) {
-      if (tag->module == "fuzzing-support" && tag->base == "tag") {
-        fuzzTag = tag->name;
-        break;
+      if (tag->module == "fuzzing-support") {
+        if (tag->base == "wasmtag") {
+          wasmTag = tag->name;
+        } else if (tag->base == "jstag") {
+          jsTag = tag->name;
+        }
       }
     }
   }
@@ -96,29 +104,29 @@ struct LoggingExternalInterface : public ShellExternalInterface {
         // should throw a JS exception, and any other value means we should
         // throw a wasm exception (with that value as the payload).
         if (arguments[0].geti32() == 0) {
-          throwEmptyException();
+          throwJSException();
         } else {
-          auto payload = std::make_shared<ExnData>(fuzzTag, arguments);
+          auto payload = std::make_shared<ExnData>(wasmTag, arguments);
           throwException(WasmException{Literal(payload)});
         }
       } else if (import->base == "table-get") {
         // Check for errors here, duplicating tableLoad(), because that will
         // trap, and we just want to throw an exception (the same as JS would).
         if (!exportedTable) {
-          throwEmptyException();
+          throwJSException();
         }
         auto index = arguments[0].getUnsigned();
         if (index >= tables[exportedTable].size()) {
-          throwEmptyException();
+          throwJSException();
         }
         return {tableLoad(exportedTable, index)};
       } else if (import->base == "table-set") {
         if (!exportedTable) {
-          throwEmptyException();
+          throwJSException();
         }
         auto index = arguments[0].getUnsigned();
         if (index >= tables[exportedTable].size()) {
-          throwEmptyException();
+          throwJSException();
         }
         tableStore(exportedTable, index, arguments[1]);
         return {};
@@ -172,29 +180,32 @@ struct LoggingExternalInterface : public ShellExternalInterface {
     return {};
   }
 
-  void throwEmptyException() {
-    // Use a hopefully private tag.
-    auto payload = std::make_shared<ExnData>("__private", Literals{});
+  void throwJSException() {
+    // JS exceptions contain an externref, which wasm can't read (so the actual
+    // value here does not matter).
+    Literal externref = Literal::makeI31(0, Unshared).externalize();
+    Literals arguments = {externref};
+    auto payload = std::make_shared<ExnData>(jsTag, arguments);
     throwException(WasmException{Literal(payload)});
   }
 
   Literals callExportAsJS(Index index) {
     if (index >= wasm.exports.size()) {
       // No export.
-      throwEmptyException();
+      throwJSException();
     }
     auto& exp = wasm.exports[index];
     if (exp->kind != ExternalKind::Function) {
       // No callable export.
-      throwEmptyException();
+      throwJSException();
     }
     return callFunctionAsJS(exp->value);
   }
 
   Literals callRefAsJS(Literal ref) {
     if (!ref.isFunction()) {
       // Not a callable ref.
-      throwEmptyException();
+      throwJSException();
     }
     return callFunctionAsJS(ref.getFunc());
   }
@@ -210,10 +221,10 @@ struct LoggingExternalInterface : public ShellExternalInterface {
       // An i64 param can work from JS, but fuzz_shell provides 0, which errors
       // on attempts to convert it to BigInt. v128 and exnref are disalloewd.
       if (param == Type::i64 || param == Type::v128 || param.isExn()) {
-        throwEmptyException();
+        throwJSException();
       }
       if (!param.isDefaultable()) {
-        throwEmptyException();
+        throwJSException();
       }
       arguments.push_back(Literal::makeZero(param));
     }
@@ -224,7 +235,7 @@ struct LoggingExternalInterface : public ShellExternalInterface {
       // An i64 result is fine: a BigInt will be provided. But v128 and exnref
       // still error.
       if (result == Type::v128 || result.isExn()) {
-        throwEmptyException();
+        throwJSException();
       }
     }
 

src/tools/fuzzing/fuzzing.cpp

@@ -648,13 +648,20 @@ void TranslateToFuzzReader::setupTags() {
     addTag();
   }
 
-  // Add the fuzzing support tag manually sometimes.
+  // Add the fuzzing support tags manually sometimes.
   if (oneIn(2)) {
-    auto tag = builder.makeTag(Names::getValidTagName(wasm, "tag"),
-                               Signature(Type::i32, Type::none));
-    tag->module = "fuzzing-support";
-    tag->base = "tag";
-    wasm.addTag(std::move(tag));
+    auto wasmTag = builder.makeTag(Names::getValidTagName(wasm, "wasmtag"),
+                                   Signature(Type::i32, Type::none));
+    wasmTag->module = "fuzzing-support";
+    wasmTag->base = "wasmtag";
+    wasm.addTag(std::move(wasmTag));
+
+    auto externref = Type(HeapType::ext, Nullable);
+    auto jsTag = builder.makeTag(Names::getValidTagName(wasm, "jstag"),
+                                 Signature(externref, Type::none));
+    jsTag->module = "fuzzing-support";
+    jsTag->base = "jstag";
+    wasm.addTag(std::move(jsTag));
   }
 }
 

test/lit/d8/fuzz_shell_exceptions.wast

@@ -3,6 +3,10 @@
 (module
   (import "fuzzing-support" "throw" (func $throw (param i32)))
 
+  ;; Verify that fuzz_shell.js provides these imports for the wasm.
+  (import "fuzzing-support" "wasmtag" (tag $imported-wasm-tag (param i32)))
+  (import "fuzzing-support" "jstag" (tag $imported-js-tag (param externref)))
+
   (func $throwing-js (export "throwing-js")
     ;; Telling JS to throw with arg 0 leads to a JS exception thrown.
     (call $throw
@@ -20,7 +24,7 @@
 
 ;; Build to a binary wasm.
 ;;
-;; RUN: wasm-opt %s -o %t.wasm -q
+;; RUN: wasm-opt %s -o %t.wasm -q -all
 
 ;; Run in node.
 ;;

test/lit/exec/fuzzing-api.wast

@@ -21,7 +21,8 @@
 
  (import "fuzzing-support" "sleep" (func $sleep (param i32 i32) (result i32)))
 
- (import "fuzzing-support" "tag" (tag $imported-tag (param i32)))
+ (import "fuzzing-support" "wasmtag" (tag $imported-wasm-tag (param i32)))
+ (import "fuzzing-support" "jstag" (tag $imported-js-tag (param externref)))
 
  (table $table 10 20 funcref)
 
@@ -42,7 +43,7 @@
  )
 
  ;; CHECK:      [fuzz-exec] calling throwing
- ;; CHECK-NEXT: [exception thrown: __private ()]
+ ;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
  (func $throwing (export "throwing")
   ;; Throwing 0 throws a JS ("private") exception.
   (call $throw
@@ -51,7 +52,7 @@
  )
 
  ;; CHECK:      [fuzz-exec] calling throwing-tag
- ;; CHECK-NEXT: [exception thrown: imported-tag 42]
+ ;; CHECK-NEXT: [exception thrown: imported-wasm-tag 42]
  (func $throwing-tag (export "throwing-tag")
   ;; Throwing non-0 throws using the tag we imported.
   (call $throw
@@ -60,7 +61,7 @@
  )
 
  ;; CHECK:      [fuzz-exec] calling table.setting
- ;; CHECK-NEXT: [exception thrown: __private ()]
+ ;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
  (func $table.setting (export "table.setting")
   (call $table.set
    (i32.const 5)
@@ -76,7 +77,7 @@
  ;; CHECK:      [fuzz-exec] calling table.getting
  ;; CHECK-NEXT: [LoggingExternalInterface logging 0]
  ;; CHECK-NEXT: [LoggingExternalInterface logging 1]
- ;; CHECK-NEXT: [exception thrown: __private ()]
+ ;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
  (func $table.getting (export "table.getting")
   ;; There is a non-null value at 5, and a null at 6.
   (call $log-i32
@@ -104,7 +105,7 @@
  ;; CHECK:      [fuzz-exec] calling export.calling
  ;; CHECK-NEXT: [LoggingExternalInterface logging 42]
  ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159]
- ;; CHECK-NEXT: [exception thrown: __private ()]
+ ;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
  (func $export.calling (export "export.calling")
   ;; At index 0 in the exports we have $logging, so we will do those loggings.
   (call $call.export
@@ -140,7 +141,7 @@
  ;; CHECK:      [fuzz-exec] calling ref.calling
  ;; CHECK-NEXT: [LoggingExternalInterface logging 42]
  ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159]
- ;; CHECK-NEXT: [exception thrown: __private ()]
+ ;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
  (func $ref.calling (export "ref.calling")
   ;; This will emit some logging.
   (call $call.ref
@@ -310,6 +311,28 @@
   )
  )
 
+ ;; CHECK:      [fuzz-exec] calling catch-js-tag
+ ;; CHECK-NEXT: [fuzz-exec] note result: catch-js-tag => 100
+ (func $catch-js-tag (export "catch-js-tag") (result i32)
+  ;; The table.set out of bounds will throw a JS exception, so it will be caught
+  ;; by the catch here, and we'll return the number at the end.
+  (drop
+   (block $out (result externref)
+    (try_table (catch $imported-js-tag $out)
+     (call $table.set
+      (i32.const 9999)
+      (ref.func $table.setting)
+     )
+     (return
+      (i32.const -1)
+     )
+    )
+   )
+  )
+  (i32.const 100)
+ )
+
+
  ;; CHECK:      [fuzz-exec] calling do-sleep
  ;; CHECK-NEXT: [fuzz-exec] note result: do-sleep => 42
  ;; CHECK-NEXT: warning: no passes specified, not doing any work
@@ -327,23 +350,23 @@
 ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159]
 
 ;; CHECK:      [fuzz-exec] calling throwing
-;; CHECK-NEXT: [exception thrown: __private ()]
+;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
 
 ;; CHECK:      [fuzz-exec] calling throwing-tag
-;; CHECK-NEXT: [exception thrown: imported-tag 42]
+;; CHECK-NEXT: [exception thrown: imported-wasm-tag 42]
 
 ;; CHECK:      [fuzz-exec] calling table.setting
-;; CHECK-NEXT: [exception thrown: __private ()]
+;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
 
 ;; CHECK:      [fuzz-exec] calling table.getting
 ;; CHECK-NEXT: [LoggingExternalInterface logging 0]
 ;; CHECK-NEXT: [LoggingExternalInterface logging 1]
-;; CHECK-NEXT: [exception thrown: __private ()]
+;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
 
 ;; CHECK:      [fuzz-exec] calling export.calling
 ;; CHECK-NEXT: [LoggingExternalInterface logging 42]
 ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159]
-;; CHECK-NEXT: [exception thrown: __private ()]
+;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
 
 ;; CHECK:      [fuzz-exec] calling export.calling.catching
 ;; CHECK-NEXT: [LoggingExternalInterface logging 42]
@@ -354,7 +377,7 @@
 ;; CHECK:      [fuzz-exec] calling ref.calling
 ;; CHECK-NEXT: [LoggingExternalInterface logging 42]
 ;; CHECK-NEXT: [LoggingExternalInterface logging 3.14159]
-;; CHECK-NEXT: [exception thrown: __private ()]
+;; CHECK-NEXT: [exception thrown: imported-js-tag externref]
 
 ;; CHECK:      [fuzz-exec] calling ref.calling.catching
 ;; CHECK-NEXT: [LoggingExternalInterface logging 42]
@@ -385,8 +408,12 @@
 ;; CHECK:      [fuzz-exec] calling ref.calling.trap
 ;; CHECK-NEXT: [trap unreachable]
 
+;; CHECK:      [fuzz-exec] calling catch-js-tag
+;; CHECK-NEXT: [fuzz-exec] note result: catch-js-tag => 100
+
 ;; CHECK:      [fuzz-exec] calling do-sleep
 ;; CHECK-NEXT: [fuzz-exec] note result: do-sleep => 42
+;; CHECK-NEXT: [fuzz-exec] comparing catch-js-tag
 ;; CHECK-NEXT: [fuzz-exec] comparing do-sleep
 ;; CHECK-NEXT: [fuzz-exec] comparing export.calling
 ;; CHECK-NEXT: [fuzz-exec] comparing export.calling.catching