diff options
| author | Alon Zakai <azakai@google.com> | 2021-05-10 16:16:15 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-05-10 16:16:15 -0700 |
| commit | 5670de328320a554d4b6fa20b2fde37b4f337ce3 (patch) | |
| tree | 0107226aeba65cc93328e1b4d5d2e22b3615de4b /src/wasm/wasm.cpp | |
| parent | 1c882c09fdf14317943235f60b6d1008c09aeefc (diff) | |
| download | binaryen-5670de328320a554d4b6fa20b2fde37b4f337ce3.tar.gz binaryen-5670de328320a554d4b6fa20b2fde37b4f337ce3.tar.bz2 binaryen-5670de328320a554d4b6fa20b2fde37b4f337ce3.zip | |
[Wasm GC] Fix precomputing of incompatible fallthrough values (#3875)
Precompute not only computes values, but looks at the fallthrough,
(local.set 0
(block
..stuff we can ignore..
;; the fallthrough we care about - if a value is set to local 0, it is this
(i32.const 10)
)
)
Normally that is fine, but the fuzzer found a case where it is not: RefCast may
return a different type than the fallthrough, even an incompatible type if we
try to do something bad like cast a function to a struct. As we may then
propagate the value to a place that expects the proper type, this can cause an
error.
To fix this, check if the precomputed value is a proper subtype. If it is not,
then do not look through into the fallthrough, but compute the entire thing.
(In the case of a bad RefCast of a func to a struct, it would then indicate a
trap happens, and we would not precompute the value.)
Diffstat (limited to 'src/wasm/wasm.cpp')
0 files changed, 0 insertions, 0 deletions