[wasm] Fix crash in generateAlignedMemoryIndexes

We need to prevent that the randomNonNegativeIndex() gets called with a
negative index as that will lead to crashes.

Bug: 427134598
Change-Id: I28bd483054790a1a299ddfb4af0c5e8abe81e7f2
Reviewed-on: https://chrome-internal-review.googlesource.com/c/v8/fuzzilli/+/8460619
Commit-Queue: Carl Smith <[email protected]>
Reviewed-by: Carl Smith <[email protected]>
Auto-Submit: Matthias Liedtke <[email protected]>

Author: Liedtke

Sources/Fuzzilli/Base/ProgramBuilder.swift

@@ -3905,11 +3905,14 @@ public class ProgramBuilder {
     //
     // Note: In rare cases, the returned values may lead to an out-of-bounds memory access.
     func generateAlignedMemoryIndexes(forMemory memory: Variable, alignment: Int64) -> (address: Variable, offset: Int64) {
+        assert(alignment > 0, "Alignment must be positive")
         let memoryTypeInfo = self.type(of: memory).wasmMemoryType!
         let memSize = Int64(memoryTypeInfo.limits.min * WasmConstants.specWasmMemPageSize)
         let function = self.currentWasmModule.currentWasmFunction
-        assert(memSize >= alignment, "Memory size must be large enough to satisfy alignment")
-        assert(alignment > 0, "Alignment must be positive")
+        if memSize < alignment {
+            // We can't generate in-bounds accesses here, so simply return address 0.
+            return (function.memoryArgument(0, memoryTypeInfo), 0)
+        }
 
         // Generate an in-bounds offset (dynamicOffset + alignedStaticOffset) into the memory.
         // The '+1' allows out-of-bounds access (dynamicOffset + alignedStaticOffset == memSize)

Tests/FuzzilliTests/ProgramBuilderTest.swift

@@ -2844,4 +2844,35 @@ class ProgramBuilderTests: XCTestCase {
             }
         }
     }
+
+    func testEmptyMemoryGenerateMemoryIndices() {
+        let env = JavaScriptEnvironment()
+        let config = Configuration(logLevel: .error)
+        let fuzzer = makeMockFuzzer(config: config, environment: env)
+        let b = fuzzer.makeBuilder()
+        do {
+            let emptyMemory = b.createWasmMemory(minPages: 0)
+            b.buildWasmModule { wasmModule in
+                wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, label, args in
+                    let (dynamicOffset, staticOffset) = b.generateAlignedMemoryIndexes(forMemory: emptyMemory, alignment: 1)
+                    return [function.wasmMemoryLoad(memory: emptyMemory,
+                        dynamicOffset: dynamicOffset, loadType: .I32LoadMem,
+                        staticOffset: staticOffset)]
+                }
+            }
+        }
+        let actual = b.finalize()
+        do {
+            let emptyMemory = b.createWasmMemory(minPages: 0)
+            b.buildWasmModule { wasmModule in
+                wasmModule.addWasmFunction(with: [] => [.wasmi32]) { function, label, args in
+                    return [function.wasmMemoryLoad(memory: emptyMemory,
+                        dynamicOffset: function.consti32(0), loadType: .I32LoadMem,
+                        staticOffset: 0)]
+                }
+            }
+        }
+        let expected = b.finalize()
+        XCTAssertEqual(actual, expected)
+    }
 }