[crash] assertion failed or unimplemented panic when table type is not anyref #1601
Description
Description
Hey guys,
During fuzzing wasmtime with cranelift backend and almost all features enabled in the config, I trigger those bugs:
If you process the crashing wasm module using wasmtime = "0.15" crate, you will trigger a reachable assertion (CWE-617):
$ ./workspace/debug/target/debug/debug_wasmtime_all_cranelift assert_wasmtime_table_type_anyref.wasm
Start debugging of wasmtime_all_cranelift
file_to_process: "assert_wasmtime_table_type_anyref.wasm"
thread 'main' panicked at 'assertion failed: tt.element_type == wasmparser::Type::AnyFunc ||
tt.element_type == wasmparser::Type::AnyRef', /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-0.15.0/src/module.rs:56:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtraceIf you process the wasm module using wasmtime cli, you will trigger an unimplemented panic:
$ wasmtime --enable-all assert_wasmtime_table_type_anyref.wasm
thread 'main' panicked at 'not implemented: tables of types other than anyfunc (f32)', crates/runtime/src/table.rs:25:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtraceSteps to reproduce the issue
Download the crashing file: assert_wasmtime_table_type_anyref.zip
Testing piece of code:
use wasmtime::{Config, Engine, Module, Store, Strategy};
// read data from provided file
let data = read_contents_from_path(&args[1]).expect("cannot read file content");
let mut config = Config::new();
match config.strategy(Strategy::Cranelift) {
Ok(o) => o,
_ => return,
};
config
.debug_info(true)
.wasm_threads(true)
.wasm_reference_types(true)
.wasm_simd(true)
.wasm_bulk_memory(true)
.wasm_multi_value(true);
let store = Store::new(&Engine::new(&config));
let _module = Module::from_binary(&store, &data);
}Which Wasmtime version / commit hash / branch are you using?
crate version: wasmtime = "0.15.0"
Wasmtime cli version: wasmtime 0.15.0