Closed Bug 1340237 Opened 6 years ago Closed 6 years ago

Fuzzer-found wasms that validate but should not

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1338002

People

(Reporter: azakai, Unassigned)

Details

Attachments

(2 files)

sm1.wasm
36.55 KB, application/octet-stream
Details
sm2.wasm
49.39 KB, application/octet-stream
Details
Attached file sm1.wasm 
Attached are two wasms that validate in SpiderMonkey but do not in V8 and the spec interpreter, so my best guess is that SpiderMonkey is wrong. E.g. on the first, v8 gives

  CompileError: WebAssembly.instantiate(): Compiling WASM function #45:<?> failed:Result = expected 1 elements on the stack for fallthru to @1 @+76

and the spec interpreter

  0x16aa-0x16fc: invalid module: type mismatch: operator requires [i64] but stack has []

Errors on the second wasm are almost identical, so hopefully the same thing.

It also seems that Binaryen has a bug since it emits these wasms.
Attached file sm2.wasm 

    
    

    
  
Debugging in Binaryen, it seems the issue is a function that contains a body with only this

(if
  (..cond..)
  (return ..)
  (return ..)
)

while the function returns i64.

Binaryen emitted an if with type none as the function body, which is wrong I guess as the fallthrough value must be i64. So perhaps SpiderMonkey doesn't validate that fallthrough properly? Fixing Binaryen to emit an unreachable after the if.

    
    

    
  
Confirmed that these are rejected by the polymorphic checking patch in bug 1338002.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.