saulecabrera requested fitzgen for a review on PR #7525.
saulecabrera requested wasmtime-compiler-reviewers for a review on PR #7525.
saulecabrera opened PR #7525 from saulecabrera:br_table_fuzzbug
to bytecodealliance:main
:
This patch fixes how jumps are handled in
br_table
; prior to this change,br_table
was implemented using
CodeGenContext::unconditional_jump
; this function ensures, among other invariants that the value stack and stack pointer must be balanced according to the expectation of the target branch. Even though inbr_table
there's branch to a potentially known location, it's impossible be certain at compile time, which branch will be taken; in that regard,br_table
behaves more likebr_if
. Usingunconditional_jump
resulted in the stack being manipulated multiple times and breaking the other existing invariants around stack balancing.This commit makes it so that
br_table
doesn't rely onunconditional_jump
anymore and instead it delegates control flow to the target branch, which will ensure that the value stack and stack pointer are correctly balanced when restoring reachability, very similar to what happens withbr_if
.This issue was discovered while fuzzing and a file test is included with the test case.
<!--
Please make sure you include the following information:
If this work has been discussed elsewhere, please include a link to that
conversation. If it was discussed in an issue, just mention "issue #...".Explain why this change is needed. If the details are in an issue already,
this can be brief.Our development process is documented in the Wasmtime book:
https://docs.wasmtime.dev/contributing-development-process.htmlPlease ensure all communication follows the code of conduct:
https://github.com/bytecodealliance/wasmtime/blob/main/CODE_OF_CONDUCT.md
-->
saulecabrera updated PR #7525.
fitzgen submitted PR review.
saulecabrera merged PR #7525.
Last updated: Dec 23 2024 at 12:05 UTC