From d9a57f8bac6e8dfd366a12f5ff97f58ceb242b91 Mon Sep 17 00:00:00 2001
From: Alon Zakai <azakai@google.com>
Date: Mon, 3 Oct 2022 12:41:35 -0700
Subject: Fix ordering of visit() in MemoryGrow interpretation (#5108)

This is a pretty subtle point that was missed in #4811 - we need to first visit the
child, then compute the size, as the child may alter that size.

Found by the fuzzer.
---
 src/wasm-interpreter.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/wasm-interpreter.h')

diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
index 56336b237..69434a297 100644
--- a/src/wasm-interpreter.h
+++ b/src/wasm-interpreter.h
@@ -3322,15 +3322,15 @@ public:
   }
   Flow visitMemoryGrow(MemoryGrow* curr) {
     NOTE_ENTER("MemoryGrow");
+    Flow flow = self()->visit(curr->delta);
+    if (flow.breaking()) {
+      return flow;
+    }
     auto info = getMemoryInstanceInfo(curr->memory);
     auto memorySize = info.instance->getMemorySize(info.name);
     auto* memory = info.instance->wasm.getMemory(info.name);
     auto indexType = memory->indexType;
     auto fail = Literal::makeFromInt64(-1, memory->indexType);
-    Flow flow = self()->visit(curr->delta);
-    if (flow.breaking()) {
-      return flow;
-    }
     Flow ret = Literal::makeFromInt64(memorySize, indexType);
     uint64_t delta = flow.getSingleValue().getUnsigned();
     if (delta > uint32_t(-1) / Memory::kPageSize && indexType == Type::i32) {
-- 
cgit v1.2.3