fix an afl-fuzz bug where precompute alters a br to remove its condition, but does not properly modify the type (#1000)

3 files changed, 32 insertions, 0 deletions

diff --git a/src/passes/Precompute.cpp b/src/passes/Precompute.cpp
index dfb45f686..37686de1a 100644
--- a/src/passes/Precompute.cpp
+++ b/src/passes/Precompute.cpp
@@ -116,6 +116,7 @@ struct Precompute : public WalkerPass<PostWalker<Precompute, UnifiedExpressionVi
       if (auto* br = curr->dynCast<Break>()) {
         br->name = flow.breakTo;
         br->condition = nullptr;
+        br->finalize(); // if we removed a condition, the type may change
         if (flow.value.type != none) {
           // reuse a const value if there is one
           if (br->value) {
diff --git a/test/passes/precompute_coalesce-locals_vacuum.txt b/test/passes/precompute_coalesce-locals_vacuum.txt
new file mode 100644
index 000000000..76b2303f2
--- /dev/null
+++ b/test/passes/precompute_coalesce-locals_vacuum.txt
@@ -0,0 +1,11 @@
+(module
+ (type $0 (func (param i32) (result i32)))
+ (memory $0 0)
+ (func $nested-br_if-value (type $0) (param $0 i32) (result i32)
+  (loop $label$0 i32
+   (block $block i32
+    (br $label$0)
+   )
+  )
+ )
+)
diff --git a/test/passes/precompute_coalesce-locals_vacuum.wast b/test/passes/precompute_coalesce-locals_vacuum.wast
new file mode 100644
index 000000000..d7502989f
--- /dev/null
+++ b/test/passes/precompute_coalesce-locals_vacuum.wast
@@ -0,0 +1,20 @@
+(module
+ (func $nested-br_if-value (param $var$0 i32) (result i32)
+  (local $1 i32)
+  (local $2 i32)
+  (loop $label$0 i32
+   (drop
+    (i32.const 2)
+   )
+   (block i32
+    (set_local $2
+     (i32.const 4)
+    )
+    (br_if $label$0 ;; precomputing this into a br must change the type
+     (i32.const 1)
+    )
+    (get_local $2)
+   )
+  )
+ )
+)