refactor: add labelidx readers

Signed-off-by: Florian Hartung <florian.hartung@dlr.de>

Author: florianhartung

src/core/error.rs

@@ -3,7 +3,7 @@ use crate::RefType;
 use core::fmt::{Display, Formatter};
 use core::str::Utf8Error;
 
-use super::indices::{FuncIdx, LabelIdx};
+use super::indices::FuncIdx;
 use crate::core::reader::section_header::SectionTy;
 use crate::core::reader::types::ValType;
 
@@ -67,7 +67,7 @@ pub enum ValidationError {
     /// An index for a local is invalid.
     InvalidLocalIdx(u32),
     /// An index for a label is invalid.
-    InvalidLabelIdx(LabelIdx),
+    InvalidLabelIdx(u32),
     /// An index for a lane of some vector type is invalid.
     InvalidLaneIdx(u8),
 

src/core/indices.rs

@@ -687,4 +687,18 @@ impl LocalIdx {
     }
 }
 
-pub type LabelIdx = usize;
+/// Reads a label index from Wasm code without validating it.
+pub fn read_label_idx(wasm: &mut WasmReader) -> Result<u32, ValidationError> {
+    wasm.read_var_u32()
+}
+
+/// Reads a label index from Wasm code without validating it.
+///
+/// # Safety
+///
+/// The caller must ensure that there is a valid label index in the
+/// [`WasmReader`].
+pub unsafe fn read_label_idx_unchecked(wasm: &mut WasmReader) -> u32 {
+    // TODO use `unwrap_unchecked` instead
+    wasm.read_var_u32().unwrap()
+}

src/execution/interpreter_loop.rs

@@ -19,7 +19,10 @@ use crate::{
     addrs::{AddrVec, DataAddr, ElemAddr, MemAddr, ModuleAddr, TableAddr},
     assert_validated::UnwrapValidatedExt,
     core::{
-        indices::{DataIdx, ElemIdx, FuncIdx, GlobalIdx, Idx, LocalIdx, MemIdx, TableIdx, TypeIdx},
+        indices::{
+            read_label_idx_unchecked, DataIdx, ElemIdx, FuncIdx, GlobalIdx, Idx, LocalIdx, MemIdx,
+            TableIdx, TypeIdx,
+        },
         reader::{
             types::{memarg::MemArg, BlockType},
             WasmReader,
@@ -163,7 +166,10 @@ pub(super) fn run<T: Config>(
             }
             BR_IF => {
                 decrement_fuel!(T::get_flat_cost(BR_IF));
-                wasm.read_var_u32().unwrap_validated();
+
+                // SAFETY: Validation guarantees there to be a valid label index
+                // next.
+                let _label_idx = unsafe { read_label_idx_unchecked(wasm) };
 
                 let test_val: i32 = stack.pop_value().try_into().unwrap_validated();
 
@@ -177,9 +183,16 @@ pub(super) fn run<T: Config>(
             BR_TABLE => {
                 decrement_fuel!(T::get_flat_cost(BR_TABLE));
                 let label_vec = wasm
-                    .read_vec(|wasm| wasm.read_var_u32().map(|v| v.into_usize()))
+                    .read_vec(|wasm| {
+                        // SAFETY: Validation guarantees that there is a
+                        // valid vec of label indices.
+                        Ok(unsafe { read_label_idx_unchecked(wasm) })
+                    })
                     .unwrap_validated();
-                wasm.read_var_u32().unwrap_validated();
+
+                // SAFETY: Validation guarantees there to be another label index
+                // for the default case.
+                let _default_label_idx = unsafe { read_label_idx_unchecked(wasm) };
 
                 // TODO is this correct?
                 let case_val_i32: i32 = stack.pop_value().try_into().unwrap_validated();
@@ -195,8 +208,9 @@ pub(super) fn run<T: Config>(
             }
             BR => {
                 decrement_fuel!(T::get_flat_cost(BR));
-                //skip n of BR n
-                wasm.read_var_u32().unwrap_validated();
+                // SAFETY: Validation guarantees there to be a valid label index
+                // next.
+                let _label_idx = unsafe { read_label_idx_unchecked(wasm) };
                 do_sidetable_control_transfer(wasm, stack, &mut stp, current_sidetable)?;
             }
             BLOCK => {
@@ -213,7 +227,7 @@ pub(super) fn run<T: Config>(
             }
             RETURN => {
                 decrement_fuel!(T::get_flat_cost(RETURN));
-                //same as BR, except no need to skip n of BR n
+                // same as BR
                 do_sidetable_control_transfer(wasm, stack, &mut stp, current_sidetable)?;
             }
             CALL => {

src/validation/code.rs

@@ -4,8 +4,8 @@ use alloc::collections::btree_set::BTreeSet;
 use alloc::vec::Vec;
 
 use crate::core::indices::{
-    DataIdx, ElemIdx, ExtendedIdxVec, FuncIdx, GlobalIdx, IdxVec, LocalIdx, MemIdx, TableIdx,
-    TypeIdx,
+    read_label_idx, DataIdx, ElemIdx, ExtendedIdxVec, FuncIdx, GlobalIdx, IdxVec, LocalIdx, MemIdx,
+    TableIdx, TypeIdx,
 };
 use crate::core::reader::section_header::{SectionHeader, SectionTy};
 use crate::core::reader::span::Span;
@@ -147,7 +147,7 @@ pub fn read_declared_locals(wasm: &mut WasmReader) -> Result<Vec<ValType>, Valid
 /// Branches are generated by branching instructions and some can even generate multiple branches.
 fn validate_branch_and_generate_sidetable_entry(
     wasm: &WasmReader,
-    label_idx: usize,
+    label_idx: u32,
     stack: &mut ValidationStack,
     sidetable: &mut Sidetable,
     unify_to_expected_types: bool,
@@ -160,7 +160,7 @@ fn validate_branch_and_generate_sidetable_entry(
     let index_of_label_in_ctrl_stack = stack
         .ctrl_stack
         .len()
-        .checked_sub(label_idx)
+        .checked_sub(label_idx.into_usize())
         .and_then(|i| i.checked_sub(1));
 
     let targeted_ctrl_block_entry = index_of_label_in_ctrl_stack
@@ -349,14 +349,14 @@ unsafe fn read_instructions(
                 }
             }
             BR => {
-                let label_idx = wasm.read_var_u32()?.into_usize();
+                let label_idx = read_label_idx(wasm)?;
                 validate_branch_and_generate_sidetable_entry(
                     wasm, label_idx, stack, sidetable, false,
                 )?;
                 stack.make_unspecified()?;
             }
             BR_IF => {
-                let label_idx = wasm.read_var_u32()?.into_usize();
+                let label_idx = read_label_idx(wasm)?;
                 stack.assert_pop_val_type(ValType::NumType(NumType::I32))?;
                 // The types are explicitly popped and pushed in
                 // https://webassembly.github.io/spec/core/appendix/algorithm.html
@@ -366,9 +366,8 @@ unsafe fn read_instructions(
                 )?;
             }
             BR_TABLE => {
-                let label_vec =
-                    wasm.read_vec(|wasm| wasm.read_var_u32().map(|v| v.into_usize()))?;
-                let max_label_idx = wasm.read_var_u32()?.into_usize();
+                let label_vec = wasm.read_vec(read_label_idx)?;
+                let max_label_idx = read_label_idx(wasm)?;
                 stack.assert_pop_val_type(ValType::NumType(NumType::I32))?;
                 for label_idx in &label_vec {
                     validate_branch_and_generate_sidetable_entry(
@@ -390,16 +389,19 @@ unsafe fn read_instructions(
                 // in which the smaller arity type is a suffix in the label type list of the larger arity function
 
                 // stack includes all labels, that check is made in the above fn already
+                let max_label_idx = max_label_idx.into_usize();
+
                 let max_label_arity = stack
                     .ctrl_stack
                     .get(stack.ctrl_stack.len() - max_label_idx - 1)
                     .unwrap()
                     .label_types()
                     .len();
                 for label_idx in &label_vec {
+                    let label_idx_as_usize = label_idx.into_usize();
                     let label_arity = stack
                         .ctrl_stack
-                        .get(stack.ctrl_stack.len() - *label_idx - 1)
+                        .get(stack.ctrl_stack.len() - label_idx_as_usize - 1)
                         .unwrap()
                         .label_types()
                         .len();
@@ -466,7 +468,14 @@ unsafe fn read_instructions(
                 }
             }
             RETURN => {
-                let label_idx = stack.ctrl_stack.len() - 1; // return behaves the same as br <most_outer>
+                // Generally `return` behaves the same as `br <most_outer>`,
+                // except when there are more than [`u32::MAX`] labels. In that
+                // case `return` would still be valid, while `br (u32::MAX + n)`
+                // is invalid.
+                //
+                // TODO Find a way to get rid of this limitation
+                let label_idx = u32::try_from(stack.ctrl_stack.len() - 1)
+                    .expect("that there are never so many nested control blocks that the index to the outermost label exceeds u32::MAX");
                 validate_branch_and_generate_sidetable_entry(
                     wasm, label_idx, stack, sidetable, false,
                 )?;

src/validation/validation_stack.rs

@@ -4,7 +4,10 @@ use alloc::vec;
 use alloc::vec::Vec;
 
 use crate::{
-    core::reader::types::{FuncType, ResultType},
+    core::{
+        reader::types::{FuncType, ResultType},
+        utils::ToUsizeExt,
+    },
     NumType, RefType, ValType, ValidationError,
 };
 
@@ -288,13 +291,13 @@ impl ValidationStack {
     ///
     pub fn assert_val_types_of_label_jump_types_on_top(
         &mut self,
-        label_idx: usize,
+        label_idx: u32,
         unify_to_expected_types: bool,
     ) -> Result<(), ValidationError> {
         let index_of_label_in_ctrl_stack = self
             .ctrl_stack
             .len()
-            .checked_sub(label_idx)
+            .checked_sub(label_idx.into_usize())
             .and_then(|i| i.checked_sub(1));
 
         let label_types = index_of_label_in_ctrl_stack