[Bug] Assertion failed isRef() in wasm::Type::getHeapType during BrOn::finalize #8091
Description
Description
We encountered a SIGABRT (Assertion Failure) in wasm-opt. The crash triggers when parsing a malformed WebAssembly binary containing a br_on instruction.
The assertion isRef() fails within wasm::Type::getHeapType(), which is called by wasm::BrOn::finalize. This suggests the parser is attempting to create a BrOn node where the operand is not a reference type (e.g., an integer or float), but the internal logic expects a reference type to determine the heap type.
Environment
- OS: Linux x86_64
- Complier: Clang
- Tools: gdb
Vulnerability Details
- Target: wasm-opt
- Crash Type: Assertion Failure (SIGABRT)
- Location: src/binaryen/src/wasm-type.h:397
- Function: wasm::Type::getHeapType() called from wasm::BrOn::finalize
- Assertion: Assertion isRef() failed
- Root Cause Analysis: The stack trace shows: readInst -> makeBrOn -> BrOn::finalize -> getHeapType. The BrOn instruction requires a reference type operand. The finalize method attempts to inspect the heap type of the operand via getHeapType(). However, the operand provided by the malformed binary appears to be a non-reference type, causing isRef() to return false and the assertion to fire.
Reproduce
gdb --args ./wasm-opt ./repro -o /dev/null
r
bt
Download Link: repro
Stack Trace (GDB)
wasm-opt: /src/binaryen/src/wasm-type.h:397: HeapType wasm::Type::getHeapType() const: Assertion `isRef()' failed.
Program received signal SIGABRT, Aborted.
0x00007f194b6a3b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f194b6a3b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f194b64a27e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f194b62d8ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f194b62d81b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f194b640517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00007f194e840754 in wasm::BrOn::finalize (this=0x52d000000518) at /src/binaryen/src/wasm-type.h:397
#6 0x00007f194ea1a9eb in wasm::Builder::makeBrOn (this=<optimized out>, op=wasm::BrOnNull, name=..., ref=0x52d0000004f8, castType=..., desc=0x0)
at /src/binaryen/src/wasm-builder.h:957
#7 wasm::IRBuilder::makeBrOn (this=<optimized out>, label=<optimized out>, op=wasm::BrOnNull, in=..., out=..., likely=...) at /src/binaryen/src/wasm/wasm-ir-builder.cpp:2053
#8 0x00007f194e941b57 in wasm::WasmBinaryReader::readInst (this=0x7f1949b0c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:3266
#9 0x00007f194e90baf7 in wasm::WasmBinaryReader::readFunctions (this=0x7f1949b0c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:3128
#10 0x00007f194e8f6c30 in wasm::WasmBinaryReader::read (this=0x7f1949b0c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:2077
#11 0x00007f194e9ad63d in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename="") at /src/binaryen/src/wasm/wasm-io.cpp:67
#12 0x00007f194e9addc8 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...) at /src/binaryen/src/wasm/wasm-io.cpp:78
#13 0x00007f194e9af68e in wasm::ModuleReader::read (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...) at /src/binaryen/src/wasm/wasm-io.cpp:101
#14 0x000055ea7930568d in main (argc=<optimized out>, argv=<optimized out>) at /src/binaryen/src/tools/wasm-opt.cpp:319