Skip to content

Commit 305258a

Browse files
kateinoigakukunkateinoigakukun
authored
Translator: Fix stack depth check in checkBeforePop (#158)
Found by https://github.com/swiftwasm/WasmKit/actions/runs/11530492160
1 parent 58708ef commit 305258a

File tree

2 files changed

+5
-5
lines changed

2 files changed

+5
-5
lines changed

FuzzTesting/FailCases/FuzzTranslator/crash-2e61aac9dea72d2efe93489c1276ec1b69fb2992

70 Bytes
Binary file not shown.

Sources/WasmKit/Translator.swift

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -900,8 +900,8 @@ struct InstructionTranslator<Context: TranslatorContext>: InstructionVisitor {
900900
///
901901
/// - Parameter typeHint: A type expected to be popped. Only used for diagnostic purpose.
902902
/// - Returns: `true` if check succeed. `false` if the pop operation is going to be performed in unreachable code path.
903-
private func checkBeforePop(typeHint: ValueType?, controlFrame: ControlStack.ControlFrame) throws -> Bool {
904-
if _slowPath(valueStack.height <= controlFrame.stackHeight) {
903+
private func checkBeforePop(typeHint: ValueType?, depth: Int = 0, controlFrame: ControlStack.ControlFrame) throws -> Bool {
904+
if _slowPath(valueStack.height - depth <= controlFrame.stackHeight) {
905905
if controlFrame.reachable {
906906
let message: String
907907
if let typeHint {
@@ -916,9 +916,9 @@ struct InstructionTranslator<Context: TranslatorContext>: InstructionVisitor {
916916
}
917917
return true
918918
}
919-
private func checkBeforePop(typeHint: ValueType?) throws -> Bool {
919+
private func checkBeforePop(typeHint: ValueType?, depth: Int = 0) throws -> Bool {
920920
let controlFrame = try controlStack.currentFrame()
921-
return try self.checkBeforePop(typeHint: typeHint, controlFrame: controlFrame)
921+
return try self.checkBeforePop(typeHint: typeHint, depth: depth, controlFrame: controlFrame)
922922
}
923923
private mutating func ensureOnVReg(_ source: ValueSource) -> VReg {
924924
// TODO: Copy to stack if source is on preg
@@ -994,7 +994,7 @@ struct InstructionTranslator<Context: TranslatorContext>: InstructionVisitor {
994994

995995
private func checkStackTop(_ valueTypes: [ValueType]) throws {
996996
for (stackDepth, type) in valueTypes.reversed().enumerated() {
997-
guard try checkBeforePop(typeHint: type) else { return }
997+
guard try checkBeforePop(typeHint: type, depth: stackDepth) else { return }
998998
let actual = valueStack.peekType(depth: stackDepth)
999999
switch actual {
10001000
case .some(let actualType):

0 commit comments

Comments
 (0)