From 72bacfd46fb0ed4851c22344c3cc632e701ce022 Mon Sep 17 00:00:00 2001 From: Heejin Ahn Date: Mon, 9 Dec 2019 06:42:10 -0800 Subject: Fix comparison of none and unreachable types (#2514) Currently `none` and `unreachable` types are stored as the same empty `{}` in src/wasm/wasm-type.cpp. This makes `Type::operator<` incorrectly when given `none` and `unreachable`, because it expands both given types and lexicographically compare them, when both of the expanded vector will be empty. This was found by the fuzzer. This line in `Modder::visitExpression` tries to retrieve candidates of the same type. Because we can't really compare these two types, if you give `unreachable` as the key, candidates of `none` type can be returned. This generates incorrect code that ends up failing in validation in a very weird way. It was hard to generate a small testcase to trigger this part because it was found by generating fuzzed code from a random data file. But I guess this fix is pretty straightforward. Fixes #2512. --- src/wasm/wasm-type.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/wasm/wasm-type.cpp b/src/wasm/wasm-type.cpp index d5a3668fb..bc17e2193 100644 --- a/src/wasm/wasm-type.cpp +++ b/src/wasm/wasm-type.cpp @@ -56,7 +56,7 @@ std::vector>> typeLists = [] { }; add({}); - add({}); + add({Type::unreachable}); add({Type::i32}); add({Type::i64}); add({Type::f32}); @@ -69,7 +69,7 @@ std::vector>> typeLists = [] { std::unordered_map, uint32_t> indices = { {{}, Type::none}, - {{}, Type::unreachable}, + {{Type::unreachable}, Type::unreachable}, {{Type::i32}, Type::i32}, {{Type::i64}, Type::i64}, {{Type::f32}, Type::f32}, -- cgit v1.2.3