wasmtime / PR #7525 winch: Do not use `unconditional_jump... · git-wasmtime

Stream: git-wasmtime

Topic: wasmtime / PR #7525 winch: Do not use `unconditional_jump...

Wasmtime GitHub notifications bot (Nov 10 2023 at 19:21):

saulecabrera requested fitzgen for a review on PR #7525.

Wasmtime GitHub notifications bot (Nov 10 2023 at 19:21):

saulecabrera requested wasmtime-compiler-reviewers for a review on PR #7525.

Wasmtime GitHub notifications bot (Nov 10 2023 at 19:21):

saulecabrera opened PR #7525 from saulecabrera:br_table_fuzzbug to bytecodealliance:main:

This patch fixes how jumps are handled in br_table; prior to this change, br_table was implemented using
CodeGenContext::unconditional_jump; this function ensures, among other invariants that the value stack and stack pointer must be balanced according to the expectation of the target branch. Even though in br_table there's branch to a potentially known location, it's impossible be certain at compile time, which branch will be taken; in that regard, br_table behaves more like br_if. Using unconditional_jump resulted in the stack being manipulated multiple times and breaking the other existing invariants around stack balancing.

This commit makes it so that br_table doesn't rely on unconditional_jump anymore and instead it delegates control flow to the target branch, which will ensure that the value stack and stack pointer are correctly balanced when restoring reachability, very similar to what happens with br_if.

This issue was discovered while fuzzing and a file test is included with the test case.

Wasmtime GitHub notifications bot (Nov 10 2023 at 19:51):

saulecabrera updated PR #7525.

Wasmtime GitHub notifications bot (Nov 10 2023 at 20:59):

fitzgen submitted PR review.

Wasmtime GitHub notifications bot (Nov 10 2023 at 21:45):

saulecabrera merged PR #7525.

Last updated: Nov 22 2024 at 16:03 UTC