fix #1824 (out of bound memory check) in wasm case, add more test cases

a2e8f576 · Kayan · 4fbe9671 · a2e8f576 · a2e8f576 · a2e8f576
5 changed file
--- a/contracts/test_api/test_api.hpp
+++ b/contracts/test_api/test_api.hpp
@@ -232,6 +232,16 @@ struct test_memory {
   static void test_outofbound_1();
   static void test_outofbound_2();
   static void test_outofbound_3();
+   static void test_outofbound_4();
+   static void test_outofbound_5();
+   static void test_outofbound_6();
+   static void test_outofbound_7();
+   static void test_outofbound_8();
+   static void test_outofbound_9();
+   static void test_outofbound_10();
+   static void test_outofbound_11();
+   static void test_outofbound_12();
+   static void test_outofbound_13();
 };

 struct test_checktime {

--- a/contracts/test_api_mem/test_api_mem.cpp
+++ b/contracts/test_api_mem/test_api_mem.cpp
@@ -31,7 +31,17 @@ extern "C" {
      WASM_TEST_HANDLER(test_memory, test_outofbound_1);
      WASM_TEST_HANDLER(test_memory, test_outofbound_2);
      WASM_TEST_HANDLER(test_memory, test_outofbound_3);
-
+      WASM_TEST_HANDLER(test_memory, test_outofbound_4);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_5);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_6);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_7);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_8);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_9);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_10);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_11);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_12);
+      WASM_TEST_HANDLER(test_memory, test_outofbound_13);
+      
      //unhandled test call
      eosio_assert(false, "Unknown Test");
   }

--- a/contracts/test_api_mem/test_memory.cpp
+++ b/contracts/test_api_mem/test_memory.cpp
@@ -314,27 +314,81 @@ void test_memory::test_memcmp()
 void test_memory::test_outofbound_0()
 {
    memset((char *)0, 0xff, 1024 * 1024 * 1024); // big memory
-    eosio_assert(false, "should not reach here");
 }

 void test_memory::test_outofbound_1()
 {
    memset((char *)16, 0xff, 0xffffffff); // memory wrap around
-    eosio_assert(false, "should not reach here");
 }

 void test_memory::test_outofbound_2()
 {
    char buf[1024] = {0};
    char *ptr = (char *)malloc(1048576);
-    eosio_assert(ptr < buf, "heap memory should be in lower addr");
    memcpy(buf, ptr, 1048576); // stack memory out of bound
-    eosio_assert(false, "should not reach here");
 }

 void test_memory::test_outofbound_3()
 {
    char *ptr = (char *)malloc(128);
    memset(ptr, 0xcc, 1048576); // heap memory out of bound
-    eosio_assert(false, "should not reach here");
+}
+
+template <typename T>
+void test_memory_store() {
+    T *ptr = (T *)(8192 * 1024 - 1);
+    ptr[0] = (T)1;
+}
+
+template <typename T>
+void test_memory_load() {
+    T *ptr = (T *)(8192 * 1024 - 1);
+    volatile T tmp = ptr[0];
+}
+
+void test_memory::test_outofbound_4()
+{
+    test_memory_store<char>();
+}
+void test_memory::test_outofbound_5()
+{
+    test_memory_store<short>();
+}
+void test_memory::test_outofbound_6()
+{
+    test_memory_store<int>();
+}
+void test_memory::test_outofbound_7()
+{
+    test_memory_store<double>();
+}
+void test_memory::test_outofbound_8()
+{
+    test_memory_load<char>();
+}
+void test_memory::test_outofbound_9()
+{
+    test_memory_load<short>();
+}
+void test_memory::test_outofbound_10()
+{
+    test_memory_load<int>();
+}
+void test_memory::test_outofbound_11()
+{
+    test_memory_load<double>();
+}
+
+void test_memory::test_outofbound_12()
+{
+    volatile unsigned int a = 0xffffffff;
+    double *ptr = (double *)a; // store with memory wrap
+    ptr[0] = 1;
+}
+
+void test_memory::test_outofbound_13()
+{
+    volatile unsigned int a = 0xffffffff;
+    double *ptr = (double *)a; // load with memory wrap
+    volatile double tmp = ptr[0];
 }
--- a/libraries/chain/include/eosio/chain/webassembly/wavm.hpp
+++ b/libraries/chain/include/eosio/chain/webassembly/wavm.hpp
@@ -47,7 +47,11 @@ template<typename T>
 inline array_ptr<T> array_ptr_impl (running_instance_context& ctx, U32 ptr, size_t length)
 {
   MemoryInstance* mem = ctx.memory;
-   if(!mem || ptr + (length * sizeof(T)) > IR::numBytesPerPage*Runtime::getMemoryNumPages(mem))
+   if (!mem) 
+      Runtime::causeException(Exception::Cause::accessViolation);
+
+   size_t mem_total = IR::numBytesPerPage * Runtime::getMemoryNumPages(mem);
+   if (ptr >= mem_total || length > (mem_total - ptr) / sizeof(T))
      Runtime::causeException(Exception::Cause::accessViolation);

   return array_ptr<T>((T*)(getMemoryBaseAddress(mem) + ptr));

--- a/tests/api_tests/api_tests.cpp
+++ b/tests/api_tests/api_tests.cpp
@@ -1172,33 +1172,35 @@ BOOST_FIXTURE_TEST_CASE(memory_tests, TESTER) { try {
   CALL_TEST_FUNCTION( *this, "test_memory", "test_memcmp", {} );
   produce_blocks(1000);

-  BOOST_CHECK_EXCEPTION(CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_0", {} ), transaction_exception,
-         [](const fc::exception& e) {
-            return expect_assert_message(e, "access violation");
-         }
-      );
-  BOOST_CHECK_EXCEPTION(CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_1", {} ), transaction_exception,
-         [](const fc::exception& e) {
-            return expect_assert_message(e, "access violation");
-         }
-      );
-  BOOST_CHECK_EXCEPTION(CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_2", {} ), transaction_exception,
-         [](const fc::exception& e) {
-            return expect_assert_message(e, "access violation");
-         }
-      );
-  BOOST_CHECK_EXCEPTION(CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_3", {} ), transaction_exception,
-        [](const fc::exception& e) {
-           return expect_assert_message(e, "access violation");
-        }
-      );
-//    CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_0", {} );
-//    produce_blocks(1000);
-//    CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_1", {} );
-//    produce_blocks(1000);
-//    CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_2", {} );
-//    produce_blocks(1000);
-//    CALL_TEST_FUNCTION( *this, "test_memory", "test_outofbound_3", {} );
+#define test_memory_oob(func) \
+   try { \
+      CALL_TEST_FUNCTION( *this, "test_memory", func, {} ); \
+      BOOST_FAIL("assert failed in test out of bound memory in " func); \
+   } catch (...) { \
+      BOOST_REQUIRE_EQUAL(true, true); \
+   }
+
+#define test_memory_oob2(func) \
+   try { \
+      CALL_TEST_FUNCTION( *this, "test_memory", func, {} );\
+   } catch (const fc::exception& e) {\
+     if (!expect_assert_message(e, "access violation")) throw; \
+   }
+
+   test_memory_oob("test_outofbound_0");
+   test_memory_oob("test_outofbound_1");
+   test_memory_oob("test_outofbound_2");
+   test_memory_oob("test_outofbound_3");
+   test_memory_oob("test_outofbound_4");
+   test_memory_oob("test_outofbound_5");
+   test_memory_oob("test_outofbound_6");
+   test_memory_oob("test_outofbound_7");
+   test_memory_oob("test_outofbound_8");
+   test_memory_oob("test_outofbound_9");
+   test_memory_oob("test_outofbound_10");
+   test_memory_oob("test_outofbound_11");
+   test_memory_oob("test_outofbound_12");
+   test_memory_oob("test_outofbound_13");

   BOOST_REQUIRE_EQUAL( validate(), true );
 } FC_LOG_AND_RETHROW() }