Stream: git-wasmtime

Topic: wasmtime / issue #12354 Off-by-One Enum discriminant vali...

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 01:55):

zzjas opened issue #12354:

Test Case

(assert_trap
  (component
    (type $enum (enum "case0" "case1" "case2"))

    ;; Returns invalid discriminant 3 (valid range: 0-2)
    (component $producer
      (import "enum" (type $enum' (eq $enum)))
      (core module $core
        (func (export "get") (result i32) (i32.const 3)))
      (core instance $inst (instantiate $core))
      (func (export "get") (result $enum') (canon lift (core func $inst "get"))))

    ;; Calls producer through adapter - validation should trap here
    (component $consumer
      (import "enum" (type $enum' (eq $enum)))
      (import "get" (func $get (result $enum')))
      (core func $lowered (canon lower (func $get)))
      (core module $core
        (import "" "get" (func (result i32)))
        (func $start (call 0) drop)
        (start $start))
      (core instance (instantiate $core (with "" (instance (export "get" (func $lowered)))))))

    (instance $prod (instantiate $producer (with "enum" (type $enum))))
    (instance (instantiate $consumer (with "enum" (type $enum)) (with "get" (func $prod "get")))))
  "invalid variant discriminant")

Here the line (func (export "get") (result $enum') (canon lift (core func $inst "get"))) tries to lift the $inst."get" (which returns the invalid discriminant) into a component function returning the enum with 3 variants.

Steps to Reproduce

Save the wast test somewhere (e.g. tests/misc_testsuite/component-model/enum-discriminant-bug.wast) and run

cargo test -p wasmtime-cli --test wast -- enum-discriminant-bug

will give:

Caused by:
    0: failed directive on .../tests/misc_testsuite/component-model/enum-discriminant-bug.wast:2
    1: expected trap, got Component([])

Expected Results

3 is an invalid discriminant so it should be trapped and pass the assertion.

Actual Results

Not trapped and failed the assertion.

Versions and Environment

Wasmtime version or commit: 2e23e223c03543ee81344353e2d6418c0f3de47c

Extra Info

The discriminant check should have used I32GeU at line 3045:
https://github.com/bytecodealliance/wasmtime/blob/b856261dde3ea2624511fe4f48c3ed0790ddaa61/crates/environ/src/fact/trampoline.rs#L3043-L3048

I believe this doesn't enable any memory safety issues since other lifting locations have correct checks:
https://github.com/bytecodealliance/wasmtime/blob/b856261dde3ea2624511fe4f48c3ed0790ddaa61/crates/component-macro/src/component.rs#L653-L655
https://github.com/bytecodealliance/wasmtime/blob/b856261dde3ea2624511fe4f48c3ed0790ddaa61/crates/wasmtime/src/runtime/component/values.rs#L994-L996

Thanks for looking into this! And as before, happy to submit a PR to fix if it's indeed a bug and the test looks ok.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 01:55):

zzjas added the bug label to Issue #12354.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 02:11):

pchickey assigned alexcrichton to issue #12354.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 02:13):

pchickey commented on issue #12354:

Thanks for a really high quality bug report! I appreciate that you checked that this was not a memory safety issue before filing a public bug report, if you do discover those please do follow our security policy: https://github.com/bytecodealliance/wasmtime/blob/main/SECURITY.md

I agree with your assessment of the bug but Alex knows this code better than anyone so I want his eyes on it too. Its a 1 character fix so you are welcome to send the PR or else one of us can make it trivially.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 02:15):

pchickey edited a comment on issue #12354:

Thanks for a really high quality bug report! I appreciate that you checked that this was not a memory safety issue before filing a public bug report, if you do discover those please do follow our security policy: https://github.com/bytecodealliance/wasmtime/blob/main/SECURITY.md

I agree with your assessment of the bug but Alex knows this code better than anyone so I want his eyes on it too. Its a 1 character fix so you are welcome to send the PR or else one of us can make it trivially.

Just curious, did you find this "manually" or did you use any tools to assist discovering this? If you did use tools that we might want to consider adding to our regular fuzzing or CI process, please talk to us about that on https://bytecodealliance.zulipchat.com/

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 02:16):

pchickey edited a comment on issue #12354:

Thanks for a really high quality bug report! I appreciate that you checked that this was not a memory safety issue before filing a public bug report, if you do discover those please do follow our security policy: https://github.com/bytecodealliance/wasmtime/blob/main/SECURITY.md

I agree with your assessment of the bug but Alex knows this code better than anyone so I want his eyes on it too. Its a 1 character fix (plus the nice regression test you wrote) so you are welcome to send the PR or else one of us can make it trivially.

Just curious, did you find this "manually" or did you use any tools to assist discovering this? If you did use tools that we might want to consider adding to our regular fuzzing or CI process, please talk to us about that on https://bytecodealliance.zulipchat.com/

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 02:57):

zzjas commented on issue #12354:

Thanks for looking into the report! I created a PR for it.

I did use automated tools to discover this bug (and a few others that I reported recently). Now the tool is still in its very early development phase. Hopefully we will make it public in a few weeks and I'd love to share the tool with you folks then!

view this post on Zulip Wasmtime GitHub notifications bot (Jan 15 2026 at 04:59):

alexcrichton closed issue #12354:

Test Case

(assert_trap
  (component
    (type $enum (enum "case0" "case1" "case2"))

    ;; Returns invalid discriminant 3 (valid range: 0-2)
    (component $producer
      (import "enum" (type $enum' (eq $enum)))
      (core module $core
        (func (export "get") (result i32) (i32.const 3)))
      (core instance $inst (instantiate $core))
      (func (export "get") (result $enum') (canon lift (core func $inst "get"))))

    ;; Calls producer through adapter - validation should trap here
    (component $consumer
      (import "enum" (type $enum' (eq $enum)))
      (import "get" (func $get (result $enum')))
      (core func $lowered (canon lower (func $get)))
      (core module $core
        (import "" "get" (func (result i32)))
        (func $start (call 0) drop)
        (start $start))
      (core instance (instantiate $core (with "" (instance (export "get" (func $lowered)))))))

    (instance $prod (instantiate $producer (with "enum" (type $enum))))
    (instance (instantiate $consumer (with "enum" (type $enum)) (with "get" (func $prod "get")))))
  "invalid variant discriminant")

Here the line (func (export "get") (result $enum') (canon lift (core func $inst "get"))) tries to lift the $inst."get" (which returns the invalid discriminant) into a component function returning the enum with 3 variants.

Steps to Reproduce

Save the wast test somewhere (e.g. tests/misc_testsuite/component-model/enum-discriminant-bug.wast) and run

cargo test -p wasmtime-cli --test wast -- enum-discriminant-bug

will give:

Caused by:
    0: failed directive on .../tests/misc_testsuite/component-model/enum-discriminant-bug.wast:2
    1: expected trap, got Component([])

Expected Results

3 is an invalid discriminant so it should be trapped and pass the assertion.

Actual Results

Not trapped and failed the assertion.

Versions and Environment

Wasmtime version or commit: 2e23e223c03543ee81344353e2d6418c0f3de47c

Extra Info

The discriminant check should have used I32GeU at line 3045:
https://github.com/bytecodealliance/wasmtime/blob/b856261dde3ea2624511fe4f48c3ed0790ddaa61/crates/environ/src/fact/trampoline.rs#L3043-L3048

I believe this doesn't enable any memory safety issues since other lifting locations have correct checks:
https://github.com/bytecodealliance/wasmtime/blob/b856261dde3ea2624511fe4f48c3ed0790ddaa61/crates/component-macro/src/component.rs#L653-L655
https://github.com/bytecodealliance/wasmtime/blob/b856261dde3ea2624511fe4f48c3ed0790ddaa61/crates/wasmtime/src/runtime/component/values.rs#L994-L996

Thanks for looking into this! And as before, happy to submit a PR to fix if it's indeed a bug and the test looks ok.

Last updated: Jan 29 2026 at 13:25 UTC