Fix two fuzz bugs with ArrayNewSeg (#5242)

First, we forgot to note the type annotation on `ArrayNewSeg` instructions, so
in small modules where these are the only annotated instructions, the type
section would be incomplete.

Second, in the interpreter we were reserving space for the array before checking
that the segment access was valid. This could cause huge allocations that threw
bad_alloc exceptions before the interpreter could get around to trapping. Fix
the problem by reserving the array after validating the arguements.

Fixes #5236.

1 files changed, 25 insertions, 0 deletions

diff --git a/test/lit/array-new-seg-note-count.wast b/test/lit/array-new-seg-note-count.wast
new file mode 100644
index 000000000..45c08e313
--- /dev/null
+++ b/test/lit/array-new-seg-note-count.wast
@@ -0,0 +1,25 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py --all-items and should not be edited.
+
+;; RUN: wasm-opt %s -all --roundtrip -S -o - | filecheck %s
+
+;; Test that the array type is emitted into the type section properly.
+(module
+ ;; CHECK:      (type $vec (array i32))
+ (type $vec (array i32))
+ ;; CHECK:      (type $none_=>_ref|$vec| (func (result (ref $vec))))
+
+ ;; CHECK:      (data "")
+ (data "")
+ ;; CHECK:      (func $test (result (ref $vec))
+ ;; CHECK-NEXT:  (array.new_data $vec 0
+ ;; CHECK-NEXT:   (i32.const 0)
+ ;; CHECK-NEXT:   (i32.const 0)
+ ;; CHECK-NEXT:  )
+ ;; CHECK-NEXT: )
+ (func $test (result (ref $vec))
+  (array.new_data $vec 0
+   (i32.const 0)
+   (i32.const 0)
+  )
+ )
+)