nodejs/deps/v8/test/mjsunit/sandbox/wasm-signature-verification.js

// Copyright 2024 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --wasm-staging --sandbox-testing

d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');

const builder = new WasmModuleBuilder();
builder.exportMemoryAs("mem0", 0);
let $mem0 = builder.addMemory(1, 1);

let $box = builder.addStruct([makeField(kWasmFuncRef, true)]);

let $sig_i_l = builder.addType(kSig_i_l);

// func0 and func1 have no other job than to have incompatible signatures.
builder.addFunction("func0", kSig_v_i).exportFunc().addBody([]);
builder.addFunction("func1", $sig_i_l).exportFunc().addBody([
  kExprI32Const, 0,
]);

builder.addFunction("get_func0", kSig_r_v).exportFunc().addBody([
  kExprRefFunc, 0,
  kGCPrefix, kExprStructNew, $box,
  kGCPrefix, kExprExternConvertAny,
]);
builder.addFunction("get_func1", kSig_r_v).exportFunc().addBody([
  kExprRefFunc, 1,
  kGCPrefix, kExprStructNew, $box,
  kGCPrefix, kExprExternConvertAny,
]);
builder.addFunction("boom", kSig_i_l).exportFunc().addBody([
  kExprLocalGet, 0,
  kExprRefFunc, 1,
  kExprCallRef, $sig_i_l,
])

let instance = builder.instantiate();
instance.exports.func0(0);

const kHeapObjectTag = 1;
const kStructField0Offset = 8;  // 0:map, 4:hash
const kWasmFuncRefType = Sandbox.getInstanceTypeIdFor('WASM_FUNC_REF_TYPE');
const kWasmFuncRefInternalOffset = Sandbox.getFieldOffset(kWasmFuncRefType, 'trusted_internal');

let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));

function getPtr(obj) {
  return Sandbox.getAddressOf(obj) + kHeapObjectTag;
}
function getField(obj, offset) {
  return memory.getUint32(obj + offset - kHeapObjectTag, true);
}
function setField(obj, offset, value) {
  memory.setUint32(obj + offset - kHeapObjectTag, value, true);
}

let f0_box = getPtr(instance.exports.get_func0());
let f0 = getField(f0_box, kStructField0Offset);
let f0_int = getField(f0, kWasmFuncRefInternalOffset);

let f1_box = getPtr(instance.exports.get_func1());
let f1 = getField(f1_box, kStructField0Offset);

setField(f1, kWasmFuncRefInternalOffset, f0_int);

// Signature confusion should kill the process.
instance.exports.boom(0x41414141414141n);

assertUnreachable("Process should have been killed.");
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00			`// Copyright 2024 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

deps: update V8 to 13.6.233.8 PR-URL: https://github.com/nodejs/node/pull/58070 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> 2025-04-29 08:03:15 +02:00			`// Flags: --wasm-staging --sandbox-testing`
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00
			`d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');`

			`const builder = new WasmModuleBuilder();`
			`builder.exportMemoryAs("mem0", 0);`
			`let $mem0 = builder.addMemory(1, 1);`

			`let $box = builder.addStruct([makeField(kWasmFuncRef, true)]);`

			`let $sig_i_l = builder.addType(kSig_i_l);`

			`// func0 and func1 have no other job than to have incompatible signatures.`
			`builder.addFunction("func0", kSig_v_i).exportFunc().addBody([]);`
			`builder.addFunction("func1", $sig_i_l).exportFunc().addBody([`
			`kExprI32Const, 0,`
			`]);`

			`builder.addFunction("get_func0", kSig_r_v).exportFunc().addBody([`
			`kExprRefFunc, 0,`
			`kGCPrefix, kExprStructNew, $box,`
			`kGCPrefix, kExprExternConvertAny,`
			`]);`
			`builder.addFunction("get_func1", kSig_r_v).exportFunc().addBody([`
			`kExprRefFunc, 1,`
			`kGCPrefix, kExprStructNew, $box,`
			`kGCPrefix, kExprExternConvertAny,`
			`]);`
			`builder.addFunction("boom", kSig_i_l).exportFunc().addBody([`
			`kExprLocalGet, 0,`
			`kExprRefFunc, 1,`
			`kExprCallRef, $sig_i_l,`
			`])`

			`let instance = builder.instantiate();`
			`instance.exports.func0(0);`

			`const kHeapObjectTag = 1;`
			`const kStructField0Offset = 8; // 0:map, 4:hash`
deps: update V8 to 13.0.245.25 PR-URL: https://github.com/nodejs/node/pull/55014 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> 2025-01-30 16:35:04 +01:00			`const kWasmFuncRefType = Sandbox.getInstanceTypeIdFor('WASM_FUNC_REF_TYPE');`
			`const kWasmFuncRefInternalOffset = Sandbox.getFieldOffset(kWasmFuncRefType, 'trusted_internal');`
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00
			`let memory = new DataView(new Sandbox.MemoryView(0, 0x100000000));`

			`function getPtr(obj) {`
			`return Sandbox.getAddressOf(obj) + kHeapObjectTag;`
			`}`
			`function getField(obj, offset) {`
			`return memory.getUint32(obj + offset - kHeapObjectTag, true);`
			`}`
			`function setField(obj, offset, value) {`
			`memory.setUint32(obj + offset - kHeapObjectTag, value, true);`
			`}`

			`let f0_box = getPtr(instance.exports.get_func0());`
			`let f0 = getField(f0_box, kStructField0Offset);`
deps: update V8 to 13.0.245.25 PR-URL: https://github.com/nodejs/node/pull/55014 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> 2025-01-30 16:35:04 +01:00			`let f0_int = getField(f0, kWasmFuncRefInternalOffset);`
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00
			`let f1_box = getPtr(instance.exports.get_func1());`
			`let f1 = getField(f1_box, kStructField0Offset);`

deps: update V8 to 13.0.245.25 PR-URL: https://github.com/nodejs/node/pull/55014 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> 2025-01-30 16:35:04 +01:00			`setField(f1, kWasmFuncRefInternalOffset, f0_int);`
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00
			`// Signature confusion should kill the process.`
deps: update V8 to 13.0.245.25 PR-URL: https://github.com/nodejs/node/pull/55014 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> 2025-01-30 16:35:04 +01:00			`instance.exports.boom(0x41414141414141n);`
deps: update V8 to 12.8.374.13 PR-URL: https://github.com/nodejs/node/pull/54077 Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> 2024-08-14 20:41:00 +02:00
			`assertUnreachable("Process should have been killed.");`