diff options
| author | Alon Zakai <azakai@google.com> | 2022-09-06 13:56:50 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-06 13:56:50 -0700 |
| commit | 16f72aae58b6c856d405d6d608efd436549ea678 (patch) | |
| tree | d2b55e6cef5128719f1b736e67a96891a97749f9 /src | |
| parent | bd5422c8f13265cf89bdf49f30a04b882ee91d0e (diff) | |
| download | binaryen-16f72aae58b6c856d405d6d608efd436549ea678.tar.gz binaryen-16f72aae58b6c856d405d6d608efd436549ea678.tar.bz2 binaryen-16f72aae58b6c856d405d6d608efd436549ea678.zip | |
[Wasm GC] Fix GlobalTypeOptimization fuzz bug on replacing unreachable struct.set (#5021)
We replaced an unreachable struct.set with something reachable, which can
break validation in corner cases.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ir/ordering.h | 14 | ||||
| -rw-r--r-- | src/wasm/wasm.cpp | 2 |
2 files changed, 15 insertions, 1 deletions
diff --git a/src/ir/ordering.h b/src/ir/ordering.h index ed2c00ee2..bc8d69055 100644 --- a/src/ir/ordering.h +++ b/src/ir/ordering.h @@ -34,6 +34,11 @@ namespace wasm { // // (temp = first, second, temp) // +// The first expression is assumed to not be unreachable (otherwise, there is no +// value to get the result of). If the second is unreachable, this returns +// something with type unreachable (that avoids returning something with a +// concrete type, which might replace something with unreachable type - we want +// to keep the type the same, in most cases). inline Expression* getResultOfFirst(Expression* first, Expression* second, Function* func, @@ -43,6 +48,15 @@ inline Expression* getResultOfFirst(Expression* first, Builder builder(*wasm); + if (second->type == Type::unreachable) { + // No value is actually consumed here. Emit something with unreachable type. + // (Note that if we continued to the canReorder code after us, and emitted + // second followed by first, then the block would have a concrete type due + // to the last element having such a type - which would not have unreachable + // type.) + return builder.makeSequence(builder.makeDrop(first), second); + } + if (EffectAnalyzer::canReorder(passOptions, *wasm, first, second)) { return builder.makeSequence(second, first); } diff --git a/src/wasm/wasm.cpp b/src/wasm/wasm.cpp index a445d74bf..af40896ce 100644 --- a/src/wasm/wasm.cpp +++ b/src/wasm/wasm.cpp @@ -182,7 +182,7 @@ void Block::finalize() { return; } // The default type is what is at the end. Next we need to see if breaks and/ - // or unreachabitily change that. + // or unreachability change that. type = list.back()->type; if (!name.is()) { // Nothing branches here, so this is easy. |