[Interpreter] Initialized segments persist after instantiation failure

This behavior is a breaking change from the v1 spec, but it is unlikely
that any programs depend on it.

Author: binji

interpreter/exec/eval.ml

@@ -405,26 +405,19 @@ let init_table (inst : module_inst) (seg : table_segment) =
   | Active {index; offset = const; init} ->
     let tab = table inst index in
     let offset = i32 (eval_const inst const) const.at in
-    let end_ = Int32.(add offset (of_int (List.length init))) in
-    let bound = Table.size tab in
-    if I32.lt_u bound end_ || I32.lt_u end_ offset then
-      Link.error seg.at "elements segment does not fit table";
-    fun () ->
-      Table.blit tab offset (List.map (fun x -> FuncElem (func inst x)) init)
-  | Passive init -> fun () -> ()
+    (try Table.init tab offset (List.map (fun x -> FuncElem (func inst x)) init)
+    with Table.Bounds -> Link.error seg.at "elements segment does not fit table")
+  | Passive init -> ()
 
 let init_memory (inst : module_inst) (seg : memory_segment) =
   match seg.it with
   | Active {index; offset = const; init} ->
     let mem = memory inst index in
     let offset' = i32 (eval_const inst const) const.at in
     let offset = I64_convert.extend_i32_u offset' in
-    let end_ = Int64.(add offset (of_int (String.length init))) in
-    let bound = Memory.bound mem in
-    if I64.lt_u bound end_ || I64.lt_u end_ offset then
-      Link.error seg.at "data segment does not fit memory";
-    fun () -> Memory.store_bytes mem offset init
-  | Passive init -> fun () -> ()
+    (try Memory.init mem offset init
+    with Memory.Bounds -> Link.error seg.at "data segment does not fit memory")
+  | Passive init -> ()
 
 
 let add_import (m : module_) (ext : extern) (im : import) (inst : module_inst)
@@ -460,9 +453,7 @@ let init (m : module_) (exts : extern list) : module_inst =
   in
   let inst = {inst1 with exports = List.map (create_export inst1) exports} in
   List.iter (init_func inst) fs;
-  let init_elems = List.map (init_table inst) elems in
-  let init_datas = List.map (init_memory inst) data in
-  List.iter (fun f -> f ()) init_elems;
-  List.iter (fun f -> f ()) init_datas;
+  List.iter (init_table inst) elems;
+  List.iter (init_memory inst) data;
   Lib.Option.app (fun x -> ignore (invoke (func inst x) [])) start;
   inst

interpreter/runtime/memory.ml

@@ -147,14 +147,11 @@ let store_packed sz mem a o v =
 
 let check_bounds mem a = if I64.gt_u a (bound mem) then raise Bounds
 
-let fill mem a v n =
-  let rec loop a n =
-    if n > 0l then begin
-      store_byte mem a v;
-      loop (Int64.add a 1L) (Int32.sub n 1l)
-    end
-  in loop a n;
-  check_bounds mem Int64.(add a (of_int32 n))
+let init mem a bs =
+  for i = 0 to String.length bs - 1 do
+    store_byte mem Int64.(add a (of_int i)) (Char.code bs.[i])
+  done;
+  check_bounds mem Int64.(add a (of_int (String.length bs)))
 
 let copy mem d s n =
   let n' = Int64.of_int32 n in
@@ -170,3 +167,12 @@ let copy mem d s n =
     loop d s n 1L);
   check_bounds mem (Int64.add d n');
   check_bounds mem (Int64.add s n')
+
+let fill mem a v n =
+  let rec loop a n =
+    if n > 0l then begin
+      store_byte mem a v;
+      loop (Int64.add a 1L) (Int32.sub n 1l)
+    end
+  in loop a n;
+  check_bounds mem Int64.(add a (of_int32 n))

interpreter/runtime/memory.mli

@@ -44,5 +44,6 @@ val store_packed :
   pack_size -> memory -> address -> offset -> value -> unit
     (* raises Type, Bounds *)
 
-val fill : memory -> address -> int -> count -> unit (* raises Bounds *)
+val init : memory -> address -> string -> unit (* raises Bounds *)
 val copy : memory -> address -> address -> count -> unit (* raises Bounds *)
+val fill : memory -> address -> int -> count -> unit (* raises Bounds *)

interpreter/runtime/table.ml

@@ -48,7 +48,8 @@ let load tab i =
 let store tab i v =
   try Lib.Array32.set tab.content i v with Invalid_argument _ -> raise Bounds
 
-let blit tab offset elems =
-  let data = Array.of_list elems in
-  try Lib.Array32.blit data 0l tab.content offset (Lib.Array32.length data)
-  with Invalid_argument _ -> raise Bounds
+let check_bounds tab i = if I32.gt_u i (size tab) then raise Bounds
+
+let init tab offset elems =
+  List.iteri (fun i -> store tab (Int32.(add offset (of_int i)))) elems;
+  check_bounds tab Int32.(add offset (of_int (List.length elems)))

interpreter/runtime/table.mli

@@ -20,4 +20,5 @@ val grow : table -> size -> unit (* raises SizeOverflow, SizeLimit *)
 
 val load : table -> index -> elem (* raises Bounds *)
 val store : table -> index -> elem -> unit (* raises Bounds *)
-val blit : table -> index -> elem list -> unit (* raises Bounds *)
+
+val init : table -> index -> elem list -> unit (* raises Bounds *)

test/core/linking.wast

@@ -224,6 +224,8 @@
 )
 (assert_trap (invoke $Mt "call" (i32.const 7)) "uninitialized")
 
+;; Unlike in the v1 spec, the elements stored before an out-of-bounds access
+;; persist after the instantiation failure.
 (assert_unlinkable
   (module
     (table (import "Mt" "tab") 10 funcref)
@@ -233,7 +235,7 @@
   )
   "elements segment does not fit"
 )
-(assert_trap (invoke $Mt "call" (i32.const 7)) "uninitialized")
+(assert_return (invoke $Mt "call" (i32.const 7)) (i32.const 0))
 
 (assert_unlinkable
   (module
@@ -245,7 +247,7 @@
   )
   "data segment does not fit"
 )
-(assert_trap (invoke $Mt "call" (i32.const 7)) "uninitialized")
+(assert_return (invoke $Mt "call" (i32.const 7)) (i32.const 0))
 
 
 ;; Memories
@@ -331,6 +333,8 @@
 )
 (assert_return (invoke $Mm "load" (i32.const 0)) (i32.const 0))
 
+;; Unlike in v1 spec, bytes written before an out-of-bounds access persist
+;; after the instantiation failure.
 (assert_unlinkable
   (module
     (memory (import "Mm" "mem") 1)
@@ -339,7 +343,7 @@
   )
   "data segment does not fit"
 )
-(assert_return (invoke $Mm "load" (i32.const 0)) (i32.const 0))
+(assert_return (invoke $Mm "load" (i32.const 0)) (i32.const 97))
 
 (assert_unlinkable
   (module
@@ -351,4 +355,4 @@
   )
   "elements segment does not fit"
 )
-(assert_return (invoke $Mm "load" (i32.const 0)) (i32.const 0))
+(assert_return (invoke $Mm "load" (i32.const 0)) (i32.const 97))