1 use crate::generators::{Config, DiffValue, DiffValueType}; 2 use crate::oracles::engine::{DiffEngine, DiffInstance}; 3 use anyhow::{bail, Error, Result}; 4 use std::cell::RefCell; 5 use std::rc::Rc; 6 use std::sync::Once; 7 use wasmtime::Trap; 8 9 pub struct V8Engine { 10 isolate: Rc<RefCell<v8::OwnedIsolate>>, 11 } 12 13 impl V8Engine { 14 pub fn new(config: &mut Config) -> V8Engine { 15 static INIT: Once = Once::new(); 16 17 INIT.call_once(|| { 18 let platform = v8::new_default_platform(0, false).make_shared(); 19 v8::V8::initialize_platform(platform); 20 v8::V8::initialize(); 21 }); 22 23 let config = &mut config.module_config.config; 24 // FIXME: reference types are disabled for now as we seemingly keep finding 25 // a segfault in v8. This is found relatively quickly locally and keeps 26 // getting found by oss-fuzz and currently we don't think that there's 27 // really much we can do about it. For the time being disable reference 28 // types entirely. An example bug is 29 // https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=45662 30 config.reference_types_enabled = false; 31 32 config.min_memories = config.min_memories.min(1); 33 config.max_memories = config.max_memories.min(1); 34 config.memory64_enabled = false; 35 36 Self { 37 isolate: Rc::new(RefCell::new(v8::Isolate::new(Default::default()))), 38 } 39 } 40 } 41 42 impl DiffEngine for V8Engine { 43 fn name(&self) -> &'static str { 44 "v8" 45 } 46 47 fn instantiate(&mut self, wasm: &[u8]) -> Result<Box<dyn DiffInstance>> { 48 // Setup a new `Context` in which we'll be creating this instance and 49 // executing code. 50 let mut isolate = self.isolate.borrow_mut(); 51 let isolate = &mut **isolate; 52 let mut scope = v8::HandleScope::new(isolate); 53 let context = v8::Context::new(&mut scope); 54 let global = context.global(&mut scope); 55 let mut scope = v8::ContextScope::new(&mut scope, context); 56 57 // Move the `wasm` into JS and then invoke `new WebAssembly.Module`. 58 let buf = v8::ArrayBuffer::new_backing_store_from_boxed_slice(wasm.into()); 59 let buf = v8::SharedRef::from(buf); 60 let name = v8::String::new(&mut scope, "WASM_BINARY").unwrap(); 61 let buf = v8::ArrayBuffer::with_backing_store(&mut scope, &buf); 62 global.set(&mut scope, name.into(), buf.into()); 63 let module = eval(&mut scope, "new WebAssembly.Module(WASM_BINARY)").unwrap(); 64 let name = v8::String::new(&mut scope, "WASM_MODULE").unwrap(); 65 global.set(&mut scope, name.into(), module); 66 67 // Using our `WASM_MODULE` run instantiation. Note that it's guaranteed 68 // that nothing is imported into differentially-executed modules so 69 // this is expected to only take the module argument. 70 let instance = eval(&mut scope, "new WebAssembly.Instance(WASM_MODULE)")?; 71 72 Ok(Box::new(V8Instance { 73 isolate: self.isolate.clone(), 74 context: v8::Global::new(&mut scope, context), 75 instance: v8::Global::new(&mut scope, instance), 76 })) 77 } 78 79 fn assert_error_match(&self, wasmtime: &Trap, err: &Error) { 80 let v8 = err.to_string(); 81 let wasmtime_msg = wasmtime.to_string(); 82 let verify_wasmtime = |msg: &str| { 83 assert!(wasmtime_msg.contains(msg), "{}\n!=\n{}", wasmtime_msg, v8); 84 }; 85 let verify_v8 = |msg: &[&str]| { 86 assert!( 87 msg.iter().any(|msg| v8.contains(msg)), 88 "{:?}\n\t!=\n{}", 89 wasmtime_msg, 90 v8 91 ); 92 }; 93 match wasmtime { 94 Trap::MemoryOutOfBounds => { 95 return verify_v8(&[ 96 "memory access out of bounds", 97 "data segment is out of bounds", 98 ]) 99 } 100 Trap::UnreachableCodeReached => { 101 return verify_v8(&[ 102 "unreachable", 103 // All the wasms we test use wasm-smith's 104 // `ensure_termination` option which will `unreachable` when 105 // "fuel" runs out within the wasm module itself. This 106 // sometimes manifests as a call stack size exceeded in v8, 107 // however, since v8 sometimes has different limits on the 108 // call-stack especially when it's run multiple times. To 109 // get these error messages to line up allow v8 to say the 110 // call stack size exceeded when wasmtime says we hit 111 // unreachable. 112 "Maximum call stack size exceeded", 113 ]); 114 } 115 Trap::IntegerDivisionByZero => { 116 return verify_v8(&["divide by zero", "remainder by zero"]) 117 } 118 Trap::StackOverflow => { 119 return verify_v8(&[ 120 "call stack size exceeded", 121 // Similar to the above comment in `UnreachableCodeReached` 122 // if wasmtime hits a stack overflow but v8 ran all the way 123 // to when the `unreachable` instruction was hit then that's 124 // ok. This just means that wasmtime either has less optimal 125 // codegen or different limits on the stack than v8 does, 126 // which isn't an issue per-se. 127 "unreachable", 128 ]); 129 } 130 Trap::IndirectCallToNull => return verify_v8(&["null function"]), 131 Trap::TableOutOfBounds => { 132 return verify_v8(&[ 133 "table initializer is out of bounds", 134 "table index is out of bounds", 135 ]) 136 } 137 Trap::BadSignature => return verify_v8(&["function signature mismatch"]), 138 Trap::IntegerOverflow | Trap::BadConversionToInteger => { 139 return verify_v8(&[ 140 "float unrepresentable in integer range", 141 "divide result unrepresentable", 142 ]) 143 } 144 other => log::debug!("unknown code {:?}", other), 145 } 146 147 verify_wasmtime("not possibly present in an error, just panic please"); 148 } 149 150 fn is_stack_overflow(&self, err: &Error) -> bool { 151 err.to_string().contains("Maximum call stack size exceeded") 152 } 153 } 154 155 struct V8Instance { 156 isolate: Rc<RefCell<v8::OwnedIsolate>>, 157 context: v8::Global<v8::Context>, 158 instance: v8::Global<v8::Value>, 159 } 160 161 impl DiffInstance for V8Instance { 162 fn name(&self) -> &'static str { 163 "v8" 164 } 165 166 fn evaluate( 167 &mut self, 168 function_name: &str, 169 arguments: &[DiffValue], 170 result_tys: &[DiffValueType], 171 ) -> Result<Option<Vec<DiffValue>>> { 172 let mut isolate = self.isolate.borrow_mut(); 173 let isolate = &mut **isolate; 174 let mut scope = v8::HandleScope::new(isolate); 175 let context = v8::Local::new(&mut scope, &self.context); 176 let global = context.global(&mut scope); 177 let mut scope = v8::ContextScope::new(&mut scope, context); 178 179 // See https://webassembly.github.io/spec/js-api/index.html#tojsvalue 180 // for how the Wasm-to-JS conversions are done. 181 let mut params = Vec::new(); 182 for arg in arguments { 183 params.push(match *arg { 184 DiffValue::I32(n) => v8::Number::new(&mut scope, n.into()).into(), 185 DiffValue::F32(n) => v8::Number::new(&mut scope, f32::from_bits(n).into()).into(), 186 DiffValue::F64(n) => v8::Number::new(&mut scope, f64::from_bits(n)).into(), 187 DiffValue::I64(n) => v8::BigInt::new_from_i64(&mut scope, n).into(), 188 DiffValue::FuncRef { null } | DiffValue::ExternRef { null } => { 189 assert!(null); 190 v8::null(&mut scope).into() 191 } 192 // JS doesn't support v128 parameters 193 DiffValue::V128(_) => return Ok(None), 194 }); 195 } 196 // JS doesn't support v128 return values 197 for ty in result_tys { 198 if let DiffValueType::V128 = ty { 199 return Ok(None); 200 } 201 } 202 203 let name = v8::String::new(&mut scope, "WASM_INSTANCE").unwrap(); 204 let instance = v8::Local::new(&mut scope, &self.instance); 205 global.set(&mut scope, name.into(), instance); 206 let name = v8::String::new(&mut scope, "EXPORT_NAME").unwrap(); 207 let func_name = v8::String::new(&mut scope, function_name).unwrap(); 208 global.set(&mut scope, name.into(), func_name.into()); 209 let name = v8::String::new(&mut scope, "ARGS").unwrap(); 210 let params = v8::Array::new_with_elements(&mut scope, ¶ms); 211 global.set(&mut scope, name.into(), params.into()); 212 let v8_vals = eval(&mut scope, "WASM_INSTANCE.exports[EXPORT_NAME](...ARGS)")?; 213 214 let mut results = Vec::new(); 215 match result_tys.len() { 216 0 => assert!(v8_vals.is_undefined()), 217 1 => results.push(get_diff_value(&v8_vals, result_tys[0], &mut scope)), 218 _ => { 219 let array = v8::Local::<'_, v8::Array>::try_from(v8_vals).unwrap(); 220 for (i, ty) in result_tys.iter().enumerate() { 221 let v8 = array.get_index(&mut scope, i as u32).unwrap(); 222 results.push(get_diff_value(&v8, *ty, &mut scope)); 223 } 224 } 225 } 226 Ok(Some(results)) 227 } 228 229 fn get_global(&mut self, global_name: &str, ty: DiffValueType) -> Option<DiffValue> { 230 if let DiffValueType::V128 = ty { 231 return None; 232 } 233 let mut isolate = self.isolate.borrow_mut(); 234 let mut scope = v8::HandleScope::new(&mut *isolate); 235 let context = v8::Local::new(&mut scope, &self.context); 236 let global = context.global(&mut scope); 237 let mut scope = v8::ContextScope::new(&mut scope, context); 238 239 let name = v8::String::new(&mut scope, "GLOBAL_NAME").unwrap(); 240 let memory_name = v8::String::new(&mut scope, global_name).unwrap(); 241 global.set(&mut scope, name.into(), memory_name.into()); 242 let val = eval(&mut scope, "WASM_INSTANCE.exports[GLOBAL_NAME].value").unwrap(); 243 Some(get_diff_value(&val, ty, &mut scope)) 244 } 245 246 fn get_memory(&mut self, memory_name: &str, shared: bool) -> Option<Vec<u8>> { 247 let mut isolate = self.isolate.borrow_mut(); 248 let mut scope = v8::HandleScope::new(&mut *isolate); 249 let context = v8::Local::new(&mut scope, &self.context); 250 let global = context.global(&mut scope); 251 let mut scope = v8::ContextScope::new(&mut scope, context); 252 253 let name = v8::String::new(&mut scope, "MEMORY_NAME").unwrap(); 254 let memory_name = v8::String::new(&mut scope, memory_name).unwrap(); 255 global.set(&mut scope, name.into(), memory_name.into()); 256 let v8 = eval(&mut scope, "WASM_INSTANCE.exports[MEMORY_NAME].buffer").unwrap(); 257 let v8_data = if shared { 258 v8::Local::<'_, v8::SharedArrayBuffer>::try_from(v8) 259 .unwrap() 260 .get_backing_store() 261 } else { 262 v8::Local::<'_, v8::ArrayBuffer>::try_from(v8) 263 .unwrap() 264 .get_backing_store() 265 }; 266 267 Some(v8_data.iter().map(|i| i.get()).collect()) 268 } 269 } 270 271 /// Evaluates the JS `code` within `scope`, returning either the result of the 272 /// computation or the stringified exception if one happened. 273 fn eval<'s>(scope: &mut v8::HandleScope<'s>, code: &str) -> Result<v8::Local<'s, v8::Value>> { 274 let mut tc = v8::TryCatch::new(scope); 275 let mut scope = v8::EscapableHandleScope::new(&mut tc); 276 let source = v8::String::new(&mut scope, code).unwrap(); 277 let script = v8::Script::compile(&mut scope, source, None).unwrap(); 278 match script.run(&mut scope) { 279 Some(val) => Ok(scope.escape(val)), 280 None => { 281 drop(scope); 282 assert!(tc.has_caught()); 283 bail!( 284 "{}", 285 tc.message() 286 .unwrap() 287 .get(&mut tc) 288 .to_rust_string_lossy(&mut tc) 289 ) 290 } 291 } 292 } 293 294 fn get_diff_value( 295 val: &v8::Local<'_, v8::Value>, 296 ty: DiffValueType, 297 scope: &mut v8::HandleScope<'_>, 298 ) -> DiffValue { 299 match ty { 300 DiffValueType::I32 => DiffValue::I32(val.to_int32(scope).unwrap().value() as i32), 301 DiffValueType::I64 => { 302 let (val, todo) = val.to_big_int(scope).unwrap().i64_value(); 303 assert!(todo); 304 DiffValue::I64(val) 305 } 306 DiffValueType::F32 => { 307 DiffValue::F32((val.to_number(scope).unwrap().value() as f32).to_bits()) 308 } 309 DiffValueType::F64 => DiffValue::F64(val.to_number(scope).unwrap().value().to_bits()), 310 DiffValueType::FuncRef => DiffValue::FuncRef { 311 null: val.is_null(), 312 }, 313 DiffValueType::ExternRef => DiffValue::ExternRef { 314 null: val.is_null(), 315 }, 316 DiffValueType::V128 => unreachable!(), 317 } 318 } 319 320 #[test] 321 fn smoke() { 322 crate::oracles::engine::smoke_test_engine(|_, config| Ok(V8Engine::new(config))) 323 } 324