From 2c9c74d8b64e1776c6c374af8631995b0be606f1 Mon Sep 17 00:00:00 2001
From: Thomas Lively <tlively@google.com>
Date: Mon, 19 Aug 2024 16:07:11 -0700
Subject: Validate array.init_elem segment in IRBuilder (#6852)

IRBuilder is responsible for validation involving type annotations on GC
instructions because those type annotations may not be preserved in the
built IR to be used by the main validator. For `array.init_elem`, we
were not using the type annotation to validate the element segment,
which allowed us to parse invalid modules when the reference operand was
a nullref. Add the missing validation in IRBuilder and fix a relevant
spec test.
---
 src/wasm/wasm-ir-builder.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src/wasm/wasm-ir-builder.cpp')

diff --git a/src/wasm/wasm-ir-builder.cpp b/src/wasm/wasm-ir-builder.cpp
index 2f2f3b595..b238a926c 100644
--- a/src/wasm/wasm-ir-builder.cpp
+++ b/src/wasm/wasm-ir-builder.cpp
@@ -1801,6 +1801,16 @@ Result<> IRBuilder::makeArrayInitData(HeapType type, Name data) {
 }
 
 Result<> IRBuilder::makeArrayInitElem(HeapType type, Name elem) {
+  // Validate the elem type, too, before we potentially forget the type
+  // annotation.
+  if (!type.isArray()) {
+    return Err{"expected array type annotation on array.init_elem"};
+  }
+  if (!Type::isSubType(wasm.getElementSegment(elem)->type,
+                       type.getArray().element.type)) {
+    return Err{"element segment type must be a subtype of array element type "
+               "on array.init_elem"};
+  }
   ArrayInitElem curr;
   CHECK_ERR(ChildPopper{*this}.visitArrayInitElem(&curr, type));
   CHECK_ERR(validateTypeAnnotation(type, curr.ref));
-- 
cgit v1.2.3