Closed
Bug 1340237
Opened 7 years ago
Closed 7 years ago
Fuzzer-found wasms that validate but should not
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
DUPLICATE
of bug 1338002
People
(Reporter: azakai, Unassigned)
Details
Attachments
(2 files)
Attached are two wasms that validate in SpiderMonkey but do not in V8 and the spec interpreter, so my best guess is that SpiderMonkey is wrong. E.g. on the first, v8 gives CompileError: WebAssembly.instantiate(): Compiling WASM function #45:<?> failed:Result = expected 1 elements on the stack for fallthru to @1 @+76 and the spec interpreter 0x16aa-0x16fc: invalid module: type mismatch: operator requires [i64] but stack has [] Errors on the second wasm are almost identical, so hopefully the same thing. It also seems that Binaryen has a bug since it emits these wasms.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
Debugging in Binaryen, it seems the issue is a function that contains a body with only this (if (..cond..) (return ..) (return ..) ) while the function returns i64. Binaryen emitted an if with type none as the function body, which is wrong I guess as the fallthrough value must be i64. So perhaps SpiderMonkey doesn't validate that fallthrough properly? Fixing Binaryen to emit an unreachable after the if.
|
||
Comment 3•7 years ago
|
||
Confirmed that these are rejected by the polymorphic checking patch in bug 1338002.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•