Skip to content

Commit 1c51746

Browse files
tlivelytlively
authored
Avoid assertions when parsing incorrect type annotations (#7662)
Audit child-typer.h for all uses of `getStruct()`, `getArray()`, `getSignature()`, and `getContinuation()` on the passed type immediates and make sure that their calling factory methods in IRBuilder guard against type annotations that would cause assertion failures in these calls.
1 parent e73224a commit 1c51746

File tree

1 file changed

+38
-5
lines changed

1 file changed

+38
-5
lines changed

src/wasm/wasm-ir-builder.cpp

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1500,6 +1500,9 @@ Result<> IRBuilder::makeCallIndirect(Name table,
15001500
HeapType type,
15011501
bool isReturn,
15021502
std::optional<std::uint8_t> inline_) {
1503+
if (!type.isSignature()) {
1504+
return Err{"expected function type annotation on call_indirect"};
1505+
}
15031506
CallIndirect curr(wasm.allocator);
15041507
curr.heapType = type;
15051508
curr.operands.resize(type.getSignature().params.size());
@@ -2005,6 +2008,9 @@ Result<> IRBuilder::makeI31Get(bool signed_) {
20052008
Result<> IRBuilder::makeCallRef(HeapType type,
20062009
bool isReturn,
20072010
std::optional<std::uint8_t> inline_) {
2011+
if (!type.isSignature()) {
2012+
return Err{"expected function type annotation on call_ref"};
2013+
}
20082014
CallRef curr(wasm.allocator);
20092015
if (!type.isSignature()) {
20102016
return Err{"expected function type"};
@@ -2217,6 +2223,9 @@ Result<> IRBuilder::makeBrOn(
22172223
}
22182224

22192225
Result<> IRBuilder::makeStructNew(HeapType type) {
2226+
if (!type.isStruct()) {
2227+
return Err{"expected struct type annotation on struct.new"};
2228+
}
22202229
StructNew curr(wasm.allocator);
22212230
curr.type = Type(type, NonNullable, Exact);
22222231
curr.operands.resize(type.getStruct().fields.size());
@@ -2248,6 +2257,9 @@ Result<> IRBuilder::makeStructGet(HeapType type,
22482257

22492258
Result<>
22502259
IRBuilder::makeStructSet(HeapType type, Index field, MemoryOrder order) {
2260+
if (!type.isStruct()) {
2261+
return Err{"expected struct type annotation on struct.set"};
2262+
}
22512263
StructSet curr;
22522264
curr.index = field;
22532265
CHECK_ERR(ChildPopper{*this}.visitStructSet(&curr, type));
@@ -2260,6 +2272,9 @@ Result<> IRBuilder::makeStructRMW(AtomicRMWOp op,
22602272
HeapType type,
22612273
Index field,
22622274
MemoryOrder order) {
2275+
if (!type.isStruct()) {
2276+
return Err{"expected struct type annotation on struct.atomic.rmw"};
2277+
}
22632278
StructRMW curr;
22642279
curr.index = field;
22652280
CHECK_ERR(ChildPopper{*this}.visitStructRMW(&curr, type));
@@ -2270,6 +2285,9 @@ Result<> IRBuilder::makeStructRMW(AtomicRMWOp op,
22702285

22712286
Result<>
22722287
IRBuilder::makeStructCmpxchg(HeapType type, Index field, MemoryOrder order) {
2288+
if (!type.isStruct()) {
2289+
return Err{"expected struct type annotation on struct.atomic.rmw"};
2290+
}
22732291
StructCmpxchg curr;
22742292
curr.index = field;
22752293
CHECK_ERR(ChildPopper{*this}.visitStructCmpxchg(&curr, type));
@@ -2280,6 +2298,9 @@ IRBuilder::makeStructCmpxchg(HeapType type, Index field, MemoryOrder order) {
22802298
}
22812299

22822300
Result<> IRBuilder::makeArrayNew(HeapType type) {
2301+
if (!type.isArray()) {
2302+
return Err{"expected array type annotation on array.new"};
2303+
}
22832304
ArrayNew curr;
22842305
curr.type = Type(type, NonNullable, Exact);
22852306
// Differentiate from array.new_default with dummy initializer.
@@ -2312,10 +2333,10 @@ Result<> IRBuilder::makeArrayNewElem(HeapType type, Name elem) {
23122333
}
23132334

23142335
Result<> IRBuilder::makeArrayNewFixed(HeapType type, uint32_t arity) {
2315-
ArrayNewFixed curr(wasm.allocator);
23162336
if (!type.isArray()) {
23172337
return Err{"expected array type annotation on array.new_fixed"};
23182338
}
2339+
ArrayNewFixed curr(wasm.allocator);
23192340
curr.type = Type(type, NonNullable);
23202341
curr.values.resize(arity);
23212342
CHECK_ERR(visitArrayNewFixed(&curr));
@@ -2334,6 +2355,9 @@ IRBuilder::makeArrayGet(HeapType type, bool signed_, MemoryOrder order) {
23342355
}
23352356

23362357
Result<> IRBuilder::makeArraySet(HeapType type, MemoryOrder order) {
2358+
if (!type.isArray()) {
2359+
return Err{"expected array type annotation on array.set"};
2360+
}
23372361
ArraySet curr;
23382362
CHECK_ERR(ChildPopper{*this}.visitArraySet(&curr, type));
23392363
CHECK_ERR(validateTypeAnnotation(type, curr.ref));
@@ -2359,6 +2383,9 @@ Result<> IRBuilder::makeArrayCopy(HeapType destType, HeapType srcType) {
23592383
}
23602384

23612385
Result<> IRBuilder::makeArrayFill(HeapType type) {
2386+
if (!type.isArray()) {
2387+
return Err{"expected array type annotation on array.fill"};
2388+
}
23622389
ArrayFill curr;
23632390
CHECK_ERR(ChildPopper{*this}.visitArrayFill(&curr, type));
23642391
CHECK_ERR(validateTypeAnnotation(type, curr.ref));
@@ -2396,6 +2423,9 @@ Result<> IRBuilder::makeArrayInitElem(HeapType type, Name elem) {
23962423

23972424
Result<>
23982425
IRBuilder::makeArrayRMW(AtomicRMWOp op, HeapType type, MemoryOrder order) {
2426+
if (!type.isArray()) {
2427+
return Err{"expected array type annotation on array.atomic.rmw"};
2428+
}
23992429
ArrayRMW curr;
24002430
CHECK_ERR(ChildPopper{*this}.visitArrayRMW(&curr, type));
24012431
CHECK_ERR(validateTypeAnnotation(type, curr.ref));
@@ -2404,6 +2434,9 @@ IRBuilder::makeArrayRMW(AtomicRMWOp op, HeapType type, MemoryOrder order) {
24042434
}
24052435

24062436
Result<> IRBuilder::makeArrayCmpxchg(HeapType type, MemoryOrder order) {
2437+
if (!type.isArray()) {
2438+
return Err{"expected array type annotation on array.atomic.rmw"};
2439+
}
24072440
ArrayCmpxchg curr;
24082441
CHECK_ERR(ChildPopper{*this}.visitArrayCmpxchg(&curr, type));
24092442
CHECK_ERR(validateTypeAnnotation(type, curr.ref));
@@ -2500,7 +2533,7 @@ Result<> IRBuilder::makeContNew(HeapType type) {
25002533

25012534
Result<> IRBuilder::makeContBind(HeapType sourceType, HeapType targetType) {
25022535
if (!sourceType.isContinuation() || !targetType.isContinuation()) {
2503-
return Err{"expected continuation types"};
2536+
return Err{"expected continuation type annotations on cont.bind"};
25042537
}
25052538
ContBind curr(wasm.allocator);
25062539

@@ -2590,7 +2623,7 @@ IRBuilder::makeResume(HeapType ct,
25902623
return Err{"the sizes of tags and labels must be equal"};
25912624
}
25922625
if (!ct.isContinuation()) {
2593-
return Err{"expected continuation type"};
2626+
return Err{"expected continuation type annotation on resume"};
25942627
}
25952628

25962629
Resume curr(wasm.allocator);
@@ -2623,7 +2656,7 @@ IRBuilder::makeResumeThrow(HeapType ct,
26232656
return Err{"the sizes of tags and labels must be equal"};
26242657
}
26252658
if (!ct.isContinuation()) {
2626-
return Err{"expected continuation type"};
2659+
return Err{"expected continuation type annotation on resume_throw"};
26272660
}
26282661

26292662
ResumeThrow curr(wasm.allocator);
@@ -2649,7 +2682,7 @@ IRBuilder::makeResumeThrow(HeapType ct,
26492682

26502683
Result<> IRBuilder::makeStackSwitch(HeapType ct, Name tag) {
26512684
if (!ct.isContinuation()) {
2652-
return Err{"expected continuation type"};
2685+
return Err{"expected continuation type annotation on switch"};
26532686
}
26542687
StackSwitch curr(wasm.allocator);
26552688
curr.tag = tag;

0 commit comments

Comments
 (0)