From 6ab05d914bbee87dd4a26f218a04e7ea918a2271 Mon Sep 17 00:00:00 2001
From: Thomas Lively <7121787+tlively@users.noreply.github.com>
Date: Tue, 29 Jun 2021 14:22:54 +0000
Subject: Only set `supertype` if nominal typing is enabled (#3958)

The code for printing and emitting the experimental nominal type constructors
added in #3933 assumes that supertypes were only returned from `getSuperType`
when nominal typing was enabled. `getSuperType` in turn was assuming that the
supertype field would only be set if nominal typing was enabled, but this was
not the case. This bug caused use-after-free errors because equirecursive
canonicalization left the supertype field pointing to a temporary HeapTypeInfo
that would be freed at the end of parsing but then accessed during module
writing.

To fix the issue, only set `supertype` if nominal typing is enabled, as
originally intended.
---
 src/wasm/wasm-type.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/wasm/wasm-type.cpp b/src/wasm/wasm-type.cpp
index 9bae42e98..eb1bd14b1 100644
--- a/src/wasm/wasm-type.cpp
+++ b/src/wasm/wasm-type.cpp
@@ -2278,9 +2278,11 @@ Type TypeBuilder::getTempRttType(Rtt rtt) {
 
 void TypeBuilder::setSubType(size_t i, size_t j) {
   assert(i < size() && j < size() && "index out of bounds");
-  HeapTypeInfo* sub = impl->entries[i].info.get();
-  HeapTypeInfo* super = impl->entries[j].info.get();
-  sub->supertype = super;
+  if (typeSystem == TypeSystem::Nominal) {
+    HeapTypeInfo* sub = impl->entries[i].info.get();
+    HeapTypeInfo* super = impl->entries[j].info.get();
+    sub->supertype = super;
+  }
 }
 
 namespace {
-- 
cgit v1.2.3