Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binary reader options and intended use cases #2537

Open
SoniEx2 opened this issue Feb 4, 2025 · 2 comments · May be fixed by #2541
Open

Binary reader options and intended use cases #2537

SoniEx2 opened this issue Feb 4, 2025 · 2 comments · May be fixed by #2541

Comments

@SoniEx2
Copy link
Collaborator

SoniEx2 commented Feb 4, 2025

Currently, we have the following binary reader options:

  Features features;
  Stream* log_stream = nullptr;
  bool read_debug_names = false;
  bool stop_on_first_error = true;
  bool fail_on_custom_section_error = true;
  bool skip_function_bodies = false;

Now, features and log_stream are... fairly universal, we wanna be able to select which post-MVP features to enable and disable and oftentimes also enable verbose logging.

However, it's another story with these other options. Most of these aren't available when running the provided tools, but API users can bring their own ReadBinaryOptions. In theory, this leads to use-cases like:

among other, potentially questionable ideas. However, we would like to highlight one issue in particular, and it's that our interpreter is designed to be... pretty fast. It's not trying to be the fastest thing in the world, but it does little run-time checking, instead relying entirely on the SharedValidator to do its job. As such, it's a dangerous idea to run (maliciously crafted) broken modules in the interpreter.

Would it make sense to more strictly enforce that many of these options are purely for use with the objdump reader? Ofc, we can still support use-cases like those in #2534 / #2535, but we (Soni) don't believe the API should look like this.
@SoniEx2 SoniEx2 linked a pull request Feb 14, 2025 that will close this issue
Draft
@sbc100
Copy link
Member

sbc100 commented Feb 17, 2025

Regarding stop_on_first_error, I don't think the idea was ever to allow the binary reader to have errors and then continue to on to interpret the module. I think the idea is that if there was 1 (or more) errors the reader would still fail, and the interpreter would not actually start. The only difference is how many errors are reported when reading the binary: at most 1 or more than one.

As a corollary to this I don't think the interpreter should have any runtime checks for things that are validation errors (perhaps a asserts are OK, but not real runtime checks). If you know of any such checks I think we should remove them or make them into asserts.

@SoniEx2
Copy link
Collaborator Author

SoniEx2 commented Feb 17, 2025

Yes, agree. However, there's another issue:

Fuzzing issues like https://issues.oss-fuzz.com/issues/378159149 seem to be related with continuing to build interpreter state for invalid modules after finding out they're invalid. These issues cannot be triggered with a regular wasm-interp. To us, these don't really seem worth chasing, so it would be kinda nice to eliminate them.

wabt itself never uses stop_on_first_error = false; with the interpreter, and personally we don't think we should be using it for fuzzing either. We'd prefer to switch to an API like the one we propose in #2541 , so as to eliminate the possibility.

@SoniEx2 SoniEx2 mentioned this issue Mar 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make ReadBinaryOptions more strict across readers SoniEx2/wasm2kotlin
2 participants
@sbc100 @SoniEx2