summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorThomas Lively <tlively@google.com>2024-08-19 16:07:11 -0700
committerGitHub <noreply@github.com>2024-08-19 16:07:11 -0700
commit2c9c74d8b64e1776c6c374af8631995b0be606f1 (patch)
tree504428ae6dd06ed972765604a3acb2fad4c8fb65 /src
parent127844ca1f6d182797e925b3d062c3484aaf5c23 (diff)
downloadbinaryen-2c9c74d8b64e1776c6c374af8631995b0be606f1.tar.gz
binaryen-2c9c74d8b64e1776c6c374af8631995b0be606f1.tar.bz2
binaryen-2c9c74d8b64e1776c6c374af8631995b0be606f1.zip
Validate array.init_elem segment in IRBuilder (#6852)
IRBuilder is responsible for validation involving type annotations on GC instructions because those type annotations may not be preserved in the built IR to be used by the main validator. For `array.init_elem`, we were not using the type annotation to validate the element segment, which allowed us to parse invalid modules when the reference operand was a nullref. Add the missing validation in IRBuilder and fix a relevant spec test.
Diffstat (limited to 'src')
-rw-r--r--src/wasm/wasm-ir-builder.cpp10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/wasm/wasm-ir-builder.cpp b/src/wasm/wasm-ir-builder.cpp
index 2f2f3b595..b238a926c 100644
--- a/src/wasm/wasm-ir-builder.cpp
+++ b/src/wasm/wasm-ir-builder.cpp
@@ -1801,6 +1801,16 @@ Result<> IRBuilder::makeArrayInitData(HeapType type, Name data) {
}
Result<> IRBuilder::makeArrayInitElem(HeapType type, Name elem) {
+ // Validate the elem type, too, before we potentially forget the type
+ // annotation.
+ if (!type.isArray()) {
+ return Err{"expected array type annotation on array.init_elem"};
+ }
+ if (!Type::isSubType(wasm.getElementSegment(elem)->type,
+ type.getArray().element.type)) {
+ return Err{"element segment type must be a subtype of array element type "
+ "on array.init_elem"};
+ }
ArrayInitElem curr;
CHECK_ERR(ChildPopper{*this}.visitArrayInitElem(&curr, type));
CHECK_ERR(validateTypeAnnotation(type, curr.ref));