diff options
| author | Alon Zakai <azakai@google.com> | 2022-11-01 09:34:33 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-01 09:34:33 -0700 |
| commit | 5e0ab66800de5d376429fcd281bd4cd1e41d8ed5 (patch) | |
| tree | a28a6e12fbb790d2cf994f289e54e983f1a0e8d6 /test | |
| parent | 1fa6fcfebbec9e45bcdc481f19757ac14cda4699 (diff) | |
| download | binaryen-5e0ab66800de5d376429fcd281bd4cd1e41d8ed5.tar.gz binaryen-5e0ab66800de5d376429fcd281bd4cd1e41d8ed5.tar.bz2 binaryen-5e0ab66800de5d376429fcd281bd4cd1e41d8ed5.zip | |
Fix a fuzz issue with scanning heap read types (#5184)
If a heap type only ever appears as the result of a read, we must include it in
the analysis in ModuleUtils, even though it isn't written in the binary format.
Otherwise analyses using ModuleUtils can error on not finding all types in the
list of types.
Fixes #5180
Diffstat (limited to 'test')
| -rw-r--r-- | test/lit/passes/signature-refining_gto.wat | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/test/lit/passes/signature-refining_gto.wat b/test/lit/passes/signature-refining_gto.wat new file mode 100644 index 000000000..183ce7d54 --- /dev/null +++ b/test/lit/passes/signature-refining_gto.wat @@ -0,0 +1,45 @@ +;; RUN: foreach %s %t wasm-opt --nominal --signature-refining --gto --roundtrip -all -S -o - | filecheck %s + +(module + ;; The type $A should not be emitted at all (see below). + ;; CHECK-NOT: (type $A + (type $A (struct_subtype (field (mut (ref null $A))) data)) + + ;; CHECK: (type $ref|none|_=>_none (func_subtype (param (ref none)) func)) + + ;; CHECK: (type $funcref_i32_=>_none (func_subtype (param funcref i32) func)) + + ;; CHECK: (func $struct.get (type $ref|none|_=>_none) (param $0 (ref none)) + ;; CHECK-NEXT: (drop + ;; CHECK-NEXT: (local.get $0) + ;; CHECK-NEXT: ) + ;; CHECK-NEXT: (unreachable) + ;; CHECK-NEXT: ) + (func $struct.get (param $0 (ref $A)) + ;; This function is always called with a null, so the parameter type will be + ;; refined to that. After doing so, the struct.get will be reading from a + ;; null type, and we should avoid erroring on that in --gto which scans all + ;; the heap types and updates them. Likewise, we should not error during + ;; roundtrip which also scans heap types. + (drop + (struct.get $A 0 + (local.get $0) + ) + ) + ) + + ;; CHECK: (func $caller (type $funcref_i32_=>_none) (param $0 funcref) (param $1 i32) + ;; CHECK-NEXT: (call $struct.get + ;; CHECK-NEXT: (ref.as_non_null + ;; CHECK-NEXT: (ref.null none) + ;; CHECK-NEXT: ) + ;; CHECK-NEXT: ) + ;; CHECK-NEXT: ) + (func $caller (param $0 funcref) (param $1 i32) + (call $struct.get + (ref.as_non_null + (ref.null none) + ) + ) + ) +) |