From 01bc21495af611948533686e372abddbd40825dc Mon Sep 17 00:00:00 2001
From: Alon Zakai <azakai@google.com>
Date: Tue, 6 Apr 2021 10:09:19 -0700
Subject: Fuzzing in JS VMs: Emit null for reference type params instead of 0
 (#3774)

VMs will not convert a 0 or undefined from JS into a wasm null reference - it must be null.
---
 src/tools/js-wrapper.h | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'src/tools/js-wrapper.h')

diff --git a/src/tools/js-wrapper.h b/src/tools/js-wrapper.h
index 9568bccc0..e6f553124 100644
--- a/src/tools/js-wrapper.h
+++ b/src/tools/js-wrapper.h
@@ -104,16 +104,20 @@ static std::string generateJSWrapper(Module& wasm) {
     }
     ret += std::string("instance.exports.") + exp->name.str + "(";
     bool first = true;
-    for (const auto& param : func->sig.params) {
+    for (auto param : func->sig.params) {
       // zeros in arguments TODO more?
       if (first) {
         first = false;
       } else {
         ret += ", ";
       }
-      ret += "0";
-      if (param == Type::i64) {
-        ret += ", 0";
+      if (param.isRef()) {
+        ret += "null";
+      } else {
+        ret += "0";
+        if (param == Type::i64) {
+          ret += ", 0";
+        }
       }
     }
     ret += ")";
-- 
cgit v1.2.3